eSite CMS login bypass

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1044593 漏洞类型
发布时间 2013-08-19 更新时间 2013-08-19
漏洞平台 N/A CVSS评分 N/A
# Exploit Title:  eSite cms login  bypass 
# Google Dork:  intext::"Designed & Programmed by eSite"  or   inurl:"articlefull.php?id"
# Date: 15/8/2013
# Exploit Author: Al-mamon rasool abdali hussain
# Vendor Homepage:
# Version: All  script
# Tested on: linux 

the  Vulnerability in login  system that chack the ssesion is exist 
the login code is these
if (! empty($_SESSION['auth_ebook_manager'])) {
die ("<meta http-equiv=\"refresh\" content=\"0; url='admincp.php'\">");    
if (! isset($_POST['action'])) {
    echo "<form action=\"log.php?do=login\" method=\"post\">
    <center><p>Admin name : <input type=\"text\" name=\"ad\"></p>
    <p>Admin Password : <input type=\"password\" name=\"pass\"></p>
    <input type=\"hidden\" value=\"ok\" name=\"action\">
    <input type=\"submit\" value=\"login\">
    include ("connection.php");
    $admin = mysql_fetch_array(mysql_query("select * from addd where admin='$_POST[ad]'"));
    if (! empty($admin['admin'])) {
        $pass = md5(md5($_POST['pass']));
        if ($pass == $admin['password']) {
            $_SESSION['auth_ebook_manager'] = $admin['admin'];
            echo "<center>Welcome $admin[admin]</center>    
            <meta http-equiv=\"refresh\" content=\"0; url='admincp.php'\">";
            echo "<center>Error !</center>";
        echo "<center>Error !</center>";


so easily we will create session  from another website that is in the same server using the exploit code

1-first need to upload the exploit file into any web site in the same server
that the target hosted in

2- just execut the exploit file  and copy the ssesion that the exploit genrate its for  you

3- go to   and inject the session using any injecter like tamper data or  any other

now you will be loged as admin  

# in case the  web site admin user name is not admin you must  try to change  the name into exploit file