PHP Scripts Mall Auction website script has Parameter Tampering: [CVE-2019-9063]


Vulnerability Description => Parameter tampering is a form of Web-based attack in which certain parameters in the Uniform Resource Locator (URL) or Web page form field data entered by a user are changed without that user’s authorization.




↓ ↓ ↓ ↓ How to Exploit: ↓ ↓ ↓ ↓



1. Go to Auction website script site (http://198.38.86.159/~prasanth/products/auction/)
⇓ ⇓ ⇓ ⇓




2. Click on register and register using your username, mail address, and password
⇓ ⇓ ⇓ ⇓




3. Come back again Auction website script site and log in into your account
⇓ ⇓ ⇓ ⇓




4. Go to advertising, then click any Buy Now option (etc Header)
⇓ ⇓ ⇓ ⇓




5. Make sure that burp interceptor is on and Then Click on Pay Now
⇓ ⇓ ⇓ ⇓




6. Now find the value that you want to change (etc 30 dollars)
⇓ ⇓ ⇓ ⇓




7. Change the amount value into 1.23 and forward the request
⇓ ⇓ ⇓ ⇓




8. Now off burp interceptor and goto payment gateway
⇓ ⇓ ⇓ ⇓




9. Click on create a new account or log into your account and then you can see money value change to $1.23
⇓ ⇓ ⇓ ⇓

Advertisements

One thought on “PHP Scripts Mall Auction website script has Parameter Tampering: [CVE-2019-9063]

Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

Create your website at WordPress.com
Get started
%d bloggers like this: