Home of Ethical WhiteHat CyberArmy
Would you like to react to this message? Create an account in a few clicks or log in to continue.


Home of WhiteHat CyberArmy
 
HomeLatest imagesSearchRegisterLog in

Home of Ethical WhiteHat CyberArmy :: WhiteHat CyberArmy Community :: Hacking & Security Tutorials
 

 VoltEdit CMS SQL Injection Admin Login Bypass & Shell Upload Vulnerability

Go down 
AuthorMessage
W-P
Admin
W-P


Posts : 80
Join date : 2013-11-12
Age : 38
Location : Cyber World

VoltEdit CMS SQL Injection Admin Login Bypass & Shell Upload Vulnerability Empty
PostSubject: VoltEdit CMS SQL Injection Admin Login Bypass & Shell Upload Vulnerability   VoltEdit CMS SQL Injection Admin Login Bypass & Shell Upload Vulnerability EmptyTue Nov 12, 2013 12:23 pm
================================================================================​==========
VoltEdit CMS SQL Injection Admin Login Bypass & Shell Upload Vulnerability
================================================================================​==========

:----------------------------------------------------------------------------------------------------------------------------------------:
: # Exploit Title : VoltEdit CMS SQL Injection Admin Login Bypass & Shell Upload Vulnerability
: # Date : 18 August 2013
: # Author : X-Cisadane
: # CMS Developer : [You must be registered and logged in to see this link.]
: # Version : ALL
: # Category : Web Applications
: # Vulnerability : SQL Injection Admin Login Bypass & Shell Upload Vulnerability
: # Tested On : Version 26.0.1410.64 m (Windows XP SP 3 32-Bit English)
: # Greetz to : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club, Jabar Cyber, Winda Utari
:----------------------------------------------------------------------------------------------------------------------------------------:

A multiple vulnerabilities has been identified in "VoltEdit CMS", which could be exploited by attackers to bypass security restrictions into
admin panel. Login input is not well sanitized in admin.php which can lead to to include some specials chars used to change SQL syntax so we
can gain admin access. Successful exploitations allows attacker to access into administrative functions without requiring knowledge of the
password. An attackers while login as admin, may upload PHP Shell (Backdoor) use the document uploader feature.

DORKS (How to find the target) :
================================
intext:VoltEdit cms
inurl:/doing_business_here.php
inurl:/map_room.php
inurl:/colleges_universities.php
Or use your own Google Dorks Smile

Proof of Concept
================

[ 1 ] SQL Injection Admin Login Bypass
Find the target use the dorks above, for example I'm use this dork inurl:/doing_business_here.php
and got the target [You must be registered and logged in to see this link.]
Change the target URL to /admin.php, for example [You must be registered and logged in to see this link.]
After login form appeared, fill the Login ID and Password with '=0#
Gotcha! Pic : [You must be registered and logged in to see this link.]

[ 2 ] Uploading Shell / PHP Backdoor
After login with Administrator Previllege, you can upload PHP Shell
Click Documents menu & Click Choose File
Upload your PHP Shell
Go to [You must be registered and logged in to see this link.] Shell.php


Example of the Vulnerable Sites :
[You must be registered and logged in to see this link.]
Back to top Go down
https://whitehatcyberarmy.forumotion.com
 
VoltEdit CMS SQL Injection Admin Login Bypass & Shell Upload Vulnerability
Back to top 
Page 1 of 1

Permissions in this forum:You cannot reply to topics in this forum
Home of Ethical WhiteHat CyberArmy :: WhiteHat CyberArmy Community :: Hacking & Security Tutorials-
Jump to: