238 lines
No EOL
8.9 KiB
Text
238 lines
No EOL
8.9 KiB
Text
Title:
|
||
======
|
||
Free Monthly Websites v2.0 - Multiple Web Vulnerabilities
|
||
|
||
|
||
Date:
|
||
=====
|
||
2013-02-04
|
||
|
||
|
||
References:
|
||
===========
|
||
http://www.vulnerability-lab.com/get_content.php?id=851
|
||
|
||
|
||
VL-ID:
|
||
=====
|
||
851
|
||
|
||
|
||
Common Vulnerability Scoring System:
|
||
====================================
|
||
8.5
|
||
|
||
|
||
Introduction:
|
||
=============
|
||
Free Monthly Websites 2.0 is here and you no longer have to worry about editing complicated HTML code as we have
|
||
taken care of that for you, and you no longer have to worry about anything to do with website design as we have taken
|
||
care of that for you too, adding your Google AdSense Publisher code, taken care of, ClickBank! All done for you,
|
||
here\\\'s how it works. Upload Your Site To Your Domain (this can be done for you). Login To Your Admin Control Panel.
|
||
Personalize Your Website (takes just 5 minutes).
|
||
|
||
(Copy of the Vendor Homepage: http://www.freemonthlywebsites2.com/ )
|
||
|
||
|
||
Abstract:
|
||
=========
|
||
The independent Vulnerability Laboratory researcher (x-Cisadane) discovered multiple web vulnerabilities in the Free Monthly Websites v2.0 CMS.
|
||
|
||
|
||
Report-Timeline:
|
||
================
|
||
2013-02-04: Public Disclosure
|
||
|
||
|
||
Status:
|
||
========
|
||
Published
|
||
|
||
|
||
Exploitation-Technique:
|
||
=======================
|
||
Defensiv
|
||
|
||
|
||
Severity:
|
||
=========
|
||
Critical
|
||
|
||
|
||
Details:
|
||
========
|
||
Multiple web vulnerabilities are detected in the Free Monthly Websites v2.0 Content Management System.
|
||
The first bypass vulnerability allows attackers to bypass the system web application auth of the admin login.
|
||
The secound vulnerability allows to upload for example webshells and access them after upload via unauthorized web access.
|
||
|
||
Vulnerable Module(s):
|
||
[+] Login Auth (Admin) - Bypass
|
||
[+] Upload File - Unauthorized File Upload & Access
|
||
|
||
|
||
Proof of Concept:
|
||
=================
|
||
The vulnerabilities can be exploited by remote attackers without required user interaction or privileged application user account.
|
||
For demonstration or reproduce ...
|
||
|
||
Dork(s):
|
||
inurl:/index_ebay.php
|
||
"Powered by: Resell Rights Fortune"
|
||
"Generating Traffic to Your Site with Keyword Based Articles"
|
||
Powered By: Free Monthly Websites 2.0
|
||
|
||
|
||
[ 1 ] Admin Login Bypass
|
||
|
||
Vulnerable page http://target.com/[path]/admin/index.php
|
||
Line
|
||
40 <form name="frm" action="file_io.php" method="post" onSubmit="return chk()">
|
||
41 <input type="hidden" name="do_type" value="admin_settings_read">
|
||
|
||
Vulnerable page http://target.com/[path]/admin/login.php
|
||
Line
|
||
40 <form name="frm" action="file_io.php" method="post" onSubmit="return chk()">
|
||
41 <input type="hidden" name="do_type" value="admin_settings_read">
|
||
|
||
Vulnerable page http://target.com/[path]/admin/file_io.php
|
||
|
||
Line
|
||
14 if($_REQUEST[do_type]=="admin_settings_read")
|
||
15 {
|
||
16 $filename="settings/admin_settings.txt";
|
||
17
|
||
18 if(!$handle = fopen($filename, 'r'))
|
||
19 {
|
||
20 echo "Cannot open file ($filename)";
|
||
21 exit;
|
||
22 }
|
||
23 $contents = fread($handle, filesize($filename));
|
||
24 fclose($handle);
|
||
25 $argument_arr=explode("#_1_#",$contents);
|
||
26
|
||
27 if($argument_arr[0]==$_REQUEST[username] && $argument_arr[1]==$_REQUEST[pass])
|
||
28 {
|
||
29 $_SESSION[logged_in]=true;
|
||
30 header("location:welcome.php");
|
||
|
||
Based at line 16 we know that Admin Username and Password store in admin_settings.txt NOT on Database!
|
||
So When we login into Admin Panel, file_io.php will Read Valid Username and Password from admin_settings.txt
|
||
If you do a direct access to the file admin_settings.txt, The results is
|
||
|
||
403 Permission Denied
|
||
You do not have permission for this request /admin/settings/admin_settings.txt
|
||
Picture: http://i48.tinypic.com/2gvlwt4.png
|
||
|
||
|
||
So... How to Bypass Admin Login Page?
|
||
1st. Open the Admin Login Page : http://target.com/[path]/admin/index.php
|
||
|
||
2nd. Inspect Element on the login Form.
|
||
Picture: http://i47.tinypic.com/2r5ddp1.png
|
||
|
||
3rd. Change from
|
||
<form name="frm" action="file_io.php" method="post" onsubmit="return chk()"></form>
|
||
<input type="hidden" name="do_type" value="admin_settings_read">
|
||
|
||
CHANGE TO
|
||
<form name="frm" action="file_io.php" method="post" onsubmit="return chk()"></form>
|
||
<input type="text" name="do_type" value="admin_settings_write">
|
||
Then press ENTER (please see pic).
|
||
Pic : http://i49.tinypic.com/351z3ib.png
|
||
|
||
4th. You will see A Login Failed Page : >> You need to login in to access that page <<
|
||
Picture: http://i50.tinypic.com/33ws8jb.png
|
||
Never Mind About that, just click 'Login Button' and VOILA you get and Admin Access!
|
||
Picture: http://i45.tinypic.com/jzwpea.png
|
||
----------------------------------------
|
||
[ 2 ] Upload PHP Backdoor or PHP Shell
|
||
|
||
This vulnerability works on PREMIUM VERSION of Free Monthly Websites 2.0
|
||
|
||
So... How to Upload Backdoor (PHP Shell)?
|
||
|
||
1st. Go to Add/Remove Navigation Page.
|
||
http://target.com/[path]/admin/add_main_pages.php
|
||
|
||
2nd. Enter a Name For Your New Navigation Page That You Wish To Add: dwi.php
|
||
And click Add New Navigation Page.
|
||
Picture: http://i45.tinypic.com/vigzsp.png
|
||
|
||
3rd. Still at the same page, scroll down the page until you see this section : Sort Your Page Buttons/Links.
|
||
Pic : http://i46.tinypic.com/1040oxg.png
|
||
Change FROM dwi.php.html TO /dwi.php then Click Sort Navigation Pages.
|
||
Picture: http://i49.tinypic.com/24ec1l0.jpg
|
||
|
||
4th. Go to Edit Navigation Page.
|
||
http://www.massmoneywebsites.com/admin/edit_main_pages.php
|
||
Please Select a Page To Edit: dwi.php.html <--- Select that page.
|
||
|
||
5th. Inspect element on dwi.php.html
|
||
Pic : http://i50.tinypic.com/29pq1ix.png
|
||
Change FROM <option value="dwi.php.html" selected="">dwi.php.html</option>
|
||
To <option value="dwi.php" selected="">dwi.php</option>
|
||
Picture: http://i47.tinypic.com/wtb0j6.png
|
||
|
||
6th. Enter A Page Title As You Would Like It To Be Seen. Fill with dwi.php
|
||
URL For This Page: main_pages/dwi.php
|
||
Use the 'URL For This Page' field above: [Tick]
|
||
Display This Page in Left Vertical Site Navigation: [Tick]
|
||
Display This Page in Top Horizontal Site Navigation Buttons: [Tick]
|
||
Picture: http://i46.tinypic.com/1zebnle.png
|
||
|
||
7th. Still at the same page, scroll down the page until you see this section : Enter Content For Your Page:
|
||
Click SOURCE button
|
||
Press Enter Twice at the First Line then Paste your PHP Backdoor/PHP Shell below.
|
||
And Press Enter Twice at the Last Line.
|
||
*Please see 2 Pictures below If you dunno Understand :p
|
||
Picture 1 : http://i49.tinypic.com/1zlzxq0.png
|
||
Picture 2 : http://i48.tinypic.com/291kc9h.png
|
||
|
||
If you wanna do this, please remove your backdoor password.
|
||
Click Save edited navigation page.
|
||
|
||
8th. After this message >> Data saved successfully << Appeared, Visit the Home Page and you will see the Backdoor Page
|
||
Picture : http://i49.tinypic.com/4rt1g4.png
|
||
|
||
|
||
Risk:
|
||
=====
|
||
The security risk of the unauthorized file upload vulnerability via auth bypass is estimated as critical.
|
||
|
||
|
||
Credits:
|
||
========
|
||
X-Cisadane - (stefanus_dp@ymail.com)
|
||
Greetz 2: X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club and Ngobas
|
||
|
||
|
||
Disclaimer:
|
||
===========
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
||
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||
or trade with fraud/stolen material.
|
||
|
||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
|
||
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
||
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||
|
||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
|
||
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
||
|
||
Copyright <20> 2012 | Vulnerability Laboratory
|
||
|
||
|
||
|
||
--
|
||
VULNERABILITY RESEARCH LABORATORY
|
||
LABORATORY RESEARCH TEAM
|
||
CONTACT: research@vulnerability-lab.com |