PHP Scripts Mall Amazon Affiliate Store 2.1.6 allows Parameter Tampering of the payment amount:[CVE-2019-9864]





strong>Vulnerability Description => Parameter tampering is a form of Web-based attack in which certain parameters in the Uniform Resource Locator (URL) or Web page form field data entered by a user are changed without that user’s authorization.





↡ ↡ ↡ ↡ How to Exploit ↡ ↡ ↡ ↡





1. Go to Amazon Affiliate Store site (http://freelancewebdesignerchennai.com/demo/multivendor/)
⇓ ⇓ ⇓ ⇓




2. Click on register and register using your mail address & password
⇓ ⇓ ⇓ ⇓




3. Come back again Amazon Affiliate Store site and log in into your account
⇓ ⇓ ⇓ ⇓




4. Goto home select on any product you want to buy (etc: Modern Cellphone Camera) and Click add to cart
⇓ ⇓ ⇓ ⇓




5. Goto checkout and then click proceed to checkout
⇓ ⇓ ⇓ ⇓




6. Fill up all billing details and select PayPal for pay
⇓ ⇓ ⇓ ⇓




7. Make sure burp intercepter is on and click proceed to PayPal then capture the data
⇓ ⇓ ⇓ ⇓




8. Find the amount value that you want to change
⇓ ⇓ ⇓ ⇓




9. Now change the amount value to 1 or anything you want and forward the data
⇓ ⇓ ⇓ ⇓




10. Then off burp intercepter and goto PayPal payment gateway
⇓ ⇓ ⇓ ⇓




11. Now log in or create new PayPal account and you see amount is hacked or changed
⇓ ⇓ ⇓ ⇓

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

Create your website at WordPress.com
Get started
%d bloggers like this: