DIY Web CMS Multiple Vulnerabilities

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : DIY Web CMS Multiple Vulnerabilities
# Published : 2011-02-22
# Author : p0pc0rn
# Previous Title : Comment Rating 2.9.23 Wordpress Plugin Multiple Vulnerabilities
# Next Title : ProQuiz 2.0.0b Arbitrary Upload Vulnerability

SQL and XSS in DIY Web CMS
found by : p0pc0rn 22/2/2011
web : http://www.mydiyweb.com.my
dork : intext:"powered by DiyWeb"

SQL - Microsoft JET Database Engine error
-----------------------------------------

http://site.com/template.asp?menuid=[SQL]
http://site.com/viewcatalog.asp?id=[SQL]
http://site.com/xxx.asp?id=[SQL]

XSS
---
http://site.com/diyweb/login.asp?msg=[XSS] -- login page