Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: tb13529.htm

SkyPortal vRC6 Multiple Remote Vulnerabilities



SkyPortal vRC6 Multiple Remote Vulnerabilities
SkyPortal vRC6 Multiple Remote Vulnerabilities



Opencosmo Security=0D
www.opencosmo.com=0D 
=0D
########################## WwW.BugReport.ir ###########################################=0D 
#=0D
#      BugReport Security Research & Penetration Testing Group=0D
#=0D
# Title: [Sky Portal] Multiple SQL Injection Vulnerabilities=0D
# Vendor: http://skyportal.net=0D 
# Exploitation: Remote with browser=0D
# Fix Available: Patched In Last Version In Vendor=0D
#######################################################################################=0D
# Leaders : Shahin Ramezany & Sorush Dalili=0D
# Team Members: Alireza Hasani ,Amir Hossein Khonakdar, Hamid Farhadi=0D
# Security Site: WwW.BugReport.ir - WwW.AmnPardaz.Com=0D 
# Country: Iran=0D
# Contact : admin@bugreport.ir=0D 
######################## Bug Description ###########################=0D
=0D
Description:=0D
--------------------=0D
A Lot Of Sql Injection Found And We Exploit One Of them=0D
A Registered User Can Change His/Her Name And Read All Other's Private Messages.=0D
=0D
Vulnerabilities:=0D
--------------------=0D
+--> Multiple SQL Injection Vulnerabilities=0D
=0D
nc_top.asp Line 59 =0D
strDBNTFUserName = Mitoone injection bezane be functione line 60 iani isMbr() >>> test.htm  but !??! this function is very crazy!=0D
--------------------------=0D
user can delete all bookmarks=0D
inc_bookmarks.asp line 179=0D
delSQL = "DELETE FROM "& strTablePrefix & "BOOKMARKS WHERE BOOKMARK_ID = " & delBkmk(ib)=0D
=0D
this file use from cp_main.asp=0D
---------------------------=0D
=0D
inc_profile_functions.asp=0D
line 568,570,572,573=0D
=0D
---------------------------=0D
=0D
user can delete all SUBSCRIPTIONS>=0D
inc_SUBSCRIPTIONS.asp line 163=0D
delSQL = "DELETE FROM "& strTablePrefix & "SUBSCRIPTIONS WHERE SUBSCRIPTION_ID = " & delBkmk(ib)=0D
executeThis(delSQL)=0D
this file use from cp_main.asp=0D
=0D
=0D
-------------------------- Html Exploit ------------------------------=0D
=0D
action="http://[VICTIM URL]/cp_main.asp?mode=EditIt&cmd=9" method="post">=0D Photo_URL: =0D
=0D Avatar_URL[injection goes here]: =0D
=0D LINK1[Also injection goes here]: =0D
=0D LINK2[Also injection goes here]: =0D
=0D Password: =0D
=0D Email: value="admin@bugreport.ir" />=0D
=0D Name: =0D
=0D RECMAIL: =0D
=0D HideMail: =0D
=0D
=0D =0D
=0D =0D Credit:=0D --------------------=0D BugReport Security Research & Penetration Testing Group=0D WwW.BugReport.ir


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH