Document Title: =============== Dorsa Web CMS - Multiple SQL Injection Vulnerabilities References (Source): ==================== http://ift.tt/1MDvAis Release Date: ============= 2016-03-31 Vulnerability Laboratory ID (VL-ID): ==================================== 1807 Common Vulnerability Scoring System: ==================================== 7 Product & Service Introduction: =============================== No information available, website is offline. http://www.dorsa-web.ir Abstract Advisory Information: ============================== An independent vulnerability laboratory researcher discovered multiple sql injection web vulnerabilities in the Dorma Web Content Management System. Vulnerability Disclosure Timeline: ================================== 2016-03-31: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A remote sql injection web vulnerability has been discovered in the official Dorma Web CMS web-application (2016 Q1). The vulnerability allows remote attackers to execute own sql commands to compromise the web-applicaation or connected dbms. The vulnerabilities are located in the `id_news` and `id_sub_cat` values of the `more.php` or `news_continue.php` files. Remote attackers are able to execute sql commands by injection of malicious statements via GET method request. The vulnerability is located on the application-side and the request method to inject/execute is GET. The security vulnerability is a classic order by sql injection bug. The security risk of the sql injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.4. Exploitation of the remote sql injection web vulnerability requires no user interaction or privileged web-application user accounts. Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise. Request Method(s): [+] GET Vulnerable File(s): [+] more.php [+] news_continue.php Vulnerable Parameter(s): [+] id_news [+] id_sub_cat Proof of Concept (PoC): ======================= The remote sql injection web vulnerabilities can be exploited by remote attackers without privileged web-application user account or user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Dork(s): inurl:more.php?id_news= intext:"Design by DORSA WEB" inurl:news_continue.php?id_news= intext:"Design by DORSA WEB" PoC: Exploitation http://localhost:8080/news_continue.php?id_news=36[SQL INJECTION VULNERABILITY!
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment