Video Community portal - SQL Injection / Cross-Site Scripting

EDB-ID:

13970




Platform:

PHP

Date:

2010-06-22


1               ##########################################             1
0               I'm L0rd CrusAd3r member from Inj3ct0r Team            1
1               ##########################################             0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=1
Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
Exploit Title:Video Community portal SQLi and XSS Vulnerable
Vendor url:http://www.2daybiz.com/
Version:1
Price:120$
Published: 2010-06-22
Greetz to:r0073r (inj3ct0r.com), Sid3^effects, MaYur, MA1201, M4n0j, Sonic Bluehat.
Special Greetz: Topsecure.net, inj3ct0r Team , Andhrahackers.com
Shoutzz:- To all ICW members.
~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~
Description:

2daybiz Video Community portal is the ultimate solution for starting your video sharing and uploading community similar to YouTube, Daily Motion and Myspace Videos. This enterprise level video sharing software offers a powerful and rich featured solution. In this software members can upload videos, rate videos, tag videos, leave comments, edit uploaded videos, title and description set video as public/private, video play list, create channels, groups and favorite videos. 

~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~
Vulnerability:

*SQLi Vulnerable

DEMO URL:

http://www.site.com/products/videocommunity/video.php?videoid=[sqli]

*XSS Vulnerable

Parameter:'"--><script>alert(0x000872)</script>

DEMO URL:

http://www.site.com/products/videocommunity/video.php?videoid=[xss]

# 0day n0 m0re #
# L0rd CrusAd3r #