DigitKart Multivendor Digital Products Marketplace v8.0 WebShell Upload & Stored XSS Injection

2019.04.20

QUIXSS (RU)

Risk: Medium

Local: Yes

Remote: Yes

CVE: N/A

CWE: N/A

[+] :: Title: DigitKart Multivendor Digital Products Marketplace v8.0 WebShell Upload & Stored XSS Injection
[+] :: Author: QUIXSS
[+] :: Date: 2019-04-19
[+] :: Software: DigitKart Multivendor Digital Products Marketplace v8.0
[+] :: Technical Details & Description:
# Weak security measures like bad input fields data filtering and no restriction for .PHP5/.PHP7 file upload has been discovered in the «DigitKart Multivendor Digital Products Marketplace». Current version of this web-application is 8.0.
[+] :: Demo Website:
# https://codecanyon.net/item/digitkart-multivendor-digital-products-marketplace/22741024 [ ! Market Price: $109 ! ]
# Frontend: http://fluxkart.com/digitkart
# Backend: http://fluxkart.com/digitkart/login
# Login: admin, Password: admin
[+] :: Special Note:
# Author of this web-application was warned twice about bad security measures. Nothing has changed.
[+] :: PoC Upload:
# http://fluxkart.com/digitkart/local/images/media/15556222204009.php
# http://fluxkart.com/digitkart/local/app/Http/Controllers/SystemController.php?cmd=ls%20-la
[+] :: PoC #1 [WebShell Upload]:
# Authorize on the demo website for tests: http://fluxkart.com/digitkart/login (login & password is admin). Then go to the settings page: http://fluxkart.com/digitkart/admin/settings
# There is 4 vulnerable file upload fields total on «General Settings» page: «Logo», «Static Banner», «Upload Watermark Image» and «Animated Gif Image». You can upload any .PHP file u want, just change file type from .PHP to .PHP7 (cuz PHP v7.X is enabled on this server). Next step is to submit this form, but by default author disabled it by using special class and attribute «disabled». It's easy to bypass: «inspect» this button in the Developers Console, edit code as HTML and delete class «btndisable», then change type attribute from «button» to «submit». At the end of this trick you must see this code: <button type="submit" class="btn btn-success">Submit</button>. That's it! Submit the form and your uploaded .PHP7 file will be here: http://fluxkart.com/digitkart/local/images/media/XXXXX.php7 (or u can «inspect» broken image to get the link).
[+] :: PoC #2 [Stored XSS Injection]:
# Authorize on the demo website for tests: http://fluxkart.com/digitkart/login (login & password is admin). Then go to the settings page: http://fluxkart.com/digitkart/admin/settings
# Almost each input field is vulnerable for Stored XSS Injections.

References:

https://codecanyon.net/item/digitkart-multivendor-digital-products-marketplace/22741024

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

DigitKart Multivendor Digital Products Marketplace v8.0 WebShell Upload & Stored XSS Injection

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.