# Exploit Title: eSite cms login bypass # Google Dork: intext::"Designed & Programmed by eSite" or inurl:"articlefull.php?id" # Date: 15/8/2013 # Exploit Author: Al-mamon rasool abdali hussain # Vendor Homepage: http://esite-iq.com/ # Version: All esite-iq.com script # Tested on: linux the Vulnerability in login system that chack the ssesion is exist the login code is these ____________________________________ <?php session_start(); if (! empty($_SESSION['auth_ebook_manager'])) { die ("<meta http-equiv=\"refresh\" content=\"0; url='admincp.php'\">"); } if (! isset($_POST['action'])) { echo "<form action=\"log.php?do=login\" method=\"post\"> <center><p>Admin name : <input type=\"text\" name=\"ad\"></p> <p>Admin Password : <input type=\"password\" name=\"pass\"></p> <input type=\"hidden\" value=\"ok\" name=\"action\"> <input type=\"submit\" value=\"login\"> </center></form>"; } else { include ("connection.php"); $admin = mysql_fetch_array(mysql_query("select * from addd where admin='$_POST[ad]'")); if (! empty($admin['admin'])) { $pass = md5(md5($_POST['pass'])); if ($pass == $admin['password']) { $_SESSION['auth_ebook_manager'] = $admin['admin']; echo "<center>Welcome $admin[admin]</center> <meta http-equiv=\"refresh\" content=\"0; url='admincp.php'\">"; } else { echo "<center>Error !</center>"; } } else { echo "<center>Error !</center>"; } } _____________________________ so easily we will create session from another website that is in the same server using the exploit code 1-first need to upload the exploit file into any web site in the same server that the target hosted in 2- just execut the exploit file and copy the ssesion that the exploit genrate its for you 3- go to www.xxx.com/admincp.php and inject the session using any injecter like tamper data or any other now you will be loged as admin # in case the web site admin user name is not admin you must try to change the name into exploit file