|
Opencosmo Security=0D
www.opencosmo.com=0D
=0D
########################## WwW.BugReport.ir ###########################################=0D
#=0D
# BugReport Security Research & Penetration Testing Group=0D
#=0D
# Title: [Sky Portal] Multiple SQL Injection Vulnerabilities=0D
# Vendor: http://skyportal.net=0D
# Exploitation: Remote with browser=0D
# Fix Available: Patched In Last Version In Vendor=0D
#######################################################################################=0D
# Leaders : Shahin Ramezany & Sorush Dalili=0D
# Team Members: Alireza Hasani ,Amir Hossein Khonakdar, Hamid Farhadi=0D
# Security Site: WwW.BugReport.ir - WwW.AmnPardaz.Com=0D
# Country: Iran=0D
# Contact : admin@bugreport.ir=0D
######################## Bug Description ###########################=0D
=0D
Description:=0D
--------------------=0D
A Lot Of Sql Injection Found And We Exploit One Of them=0D
A Registered User Can Change His/Her Name And Read All Other's Private Messages.=0D
=0D
Vulnerabilities:=0D
--------------------=0D
+--> Multiple SQL Injection Vulnerabilities=0D
=0D
nc_top.asp Line 59 =0D
strDBNTFUserName = Mitoone injection bezane be functione line 60 iani isMbr() >>> test.htm but !??! this function is very crazy!=0D
--------------------------=0D
user can delete all bookmarks=0D
inc_bookmarks.asp line 179=0D
delSQL = "DELETE FROM "& strTablePrefix & "BOOKMARKS WHERE BOOKMARK_ID = " & delBkmk(ib)=0D
=0D
this file use from cp_main.asp=0D
---------------------------=0D
=0D
inc_profile_functions.asp=0D
line 568,570,572,573=0D
=0D
---------------------------=0D
=0D
user can delete all SUBSCRIPTIONS>=0D
inc_SUBSCRIPTIONS.asp line 163=0D
delSQL = "DELETE FROM "& strTablePrefix & "SUBSCRIPTIONS WHERE SUBSCRIPTION_ID = " & delBkmk(ib)=0D
executeThis(delSQL)=0D
this file use from cp_main.asp=0D
=0D
=0D
-------------------------- Html Exploit ------------------------------=0D
=0D
=0D
=0D
Credit:=0D
--------------------=0D
BugReport Security Research & Penetration Testing Group=0D
WwW.BugReport.ir