# Exploit Title: eSite cms login bypass
# Google Dork: intext::"Designed & Programmed by eSite" or inurl:"articlefull.php?id"
# Date: 15/8/2013
# Exploit Author: Al-mamon rasool abdali hussain
# Vendor Homepage: http://esite-iq.com/
# Version: All esite-iq.com script
# Tested on: linux
the Vulnerability in login system that chack the ssesion is exist
the login code is these
____________________________________
<?php
session_start();
if (! empty($_SESSION['auth_ebook_manager'])) {
die ("<meta http-equiv=\"refresh\" content=\"0; url='admincp.php'\">");
}
if (! isset($_POST['action'])) {
echo "<form action=\"log.php?do=login\" method=\"post\">
<center><p>Admin name : <input type=\"text\" name=\"ad\"></p>
<p>Admin Password : <input type=\"password\" name=\"pass\"></p>
<input type=\"hidden\" value=\"ok\" name=\"action\">
<input type=\"submit\" value=\"login\">
</center></form>";
}
else
{
include ("connection.php");
$admin = mysql_fetch_array(mysql_query("select * from addd where admin='$_POST[ad]'"));
if (! empty($admin['admin'])) {
$pass = md5(md5($_POST['pass']));
if ($pass == $admin['password']) {
$_SESSION['auth_ebook_manager'] = $admin['admin'];
echo "<center>Welcome $admin[admin]</center>
<meta http-equiv=\"refresh\" content=\"0; url='admincp.php'\">";
}
else
{
echo "<center>Error !</center>";
}
}
else
{
echo "<center>Error !</center>";
}
}
_____________________________
so easily we will create session from another website that is in the same server using the exploit code
1-first need to upload the exploit file into any web site in the same server
that the target hosted in
2- just execut the exploit file and copy the ssesion that the exploit genrate its for you
3- go to www.xxx.com/admincp.php and inject the session using any injecter like tamper data or any other
now you will be loged as admin
# in case the web site admin user name is not admin you must try to change the name into exploit file