Word Directory Script 2.1 Cross Site Scripting / SQL Injection

2017.04.15
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
CWE-79

################################################ #Title: Word Directory Script v 2.1 - Cross Site Scripting / SQL Injection #Credit: Bilal KARDADOU #Vendor: http://www.phponly.com/ #Vendor URL: http://www.phponly.com/words.html #Product: Word Directory Script v 2.1 #Google Dork: N/A ################################################ # # Product & Service Introduction: # # "Word Directory Script" # The big difference between this directory and the others, # is that this one has a user statistic where users can login and see how many hits their words have received. # This word directory offers you better features than any other. # Listings cannot be submitted until payment has been received. # # [POST/\Method] http://localhost/words/submitword.php # Data: name=[SQL]Tebi&client_mail=demo%40demo.com[SQL]&url=http%3A%2F% 2Fwww.google.com [SQL]&word=tebi&size=15[SQL]&is_bold=1&color=%230000FF&title=aaaaaa[SQL]&terms_accepted=1&buyword= # # PoC: # http://prntscr.com/evwcwr # http://prntscr.com/evwejp # # Bilal KARDADOU - https://www.linkedin.com/in/kardadou/) ################################################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top