Hello Guyz!
I hope You all will be Fine and Doing Good. I'm going to share an 0day and exploitation About SQLi and XSS .
Exploit Title: Vision Interactive - SQL Injection and Cross-Site Scripting
Google Dork: \!/ inurl:Powered by Vision<space>Interactive \!/
Tested ON: Windows/Linux
Detail:
Vulnerable code is in file fiche.php produits.php apeldetail.php *.php
The $_GET-Parameter 'id' isn't filtered then associate aggressor , can inject some malicious mysql-code.
Example: SQL Injection & Cross-Site Scripting
POC:
http://localhost/fiche.php?id=[SQL INJECTION] and [Cross-Site Scripting]
http://localhost/produits.php?id=[SQL INJECTION] and [Cross-Site Scripting]
http://localhost/apeldetail.php?id=[SQL INJECTION] and [Cross-Site Scripting]
http://localhost/fiche_actualite.php?id=[SQL INJECTION] and [Cross-Site Scripting]
http://localhost/reservation.php?id=[SQL INJECTION] and [Cross-Site Scripting]
Panel: /admin OR /auth.php
Demo:
Click Here
This Article Was written By Muhammad Adeel, He is a Security ReSearcher and Programmer of Python , Ruby , C++ , Html , And a Bit More Languages.
