eSite CMS login bypass

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1044593 漏洞类型
发布时间 2013-08-19 更新时间 2013-08-19
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2013080155
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# Exploit Title:  eSite cms login  bypass 
# Google Dork:  intext::"Designed & Programmed by eSite"  or   inurl:"articlefull.php?id"
# Date: 15/8/2013
# Exploit Author: Al-mamon rasool abdali hussain
# Vendor Homepage: http://esite-iq.com/
# Version: All esite-iq.com  script
# Tested on: linux 

the  Vulnerability in login  system that chack the ssesion is exist 
the login code is these
____________________________________
<?php
session_start();
if (! empty($_SESSION['auth_ebook_manager'])) {
die ("<meta http-equiv=\"refresh\" content=\"0; url='admincp.php'\">");    
}
if (! isset($_POST['action'])) {
    echo "<form action=\"log.php?do=login\" method=\"post\">
    <center><p>Admin name : <input type=\"text\" name=\"ad\"></p>
    <p>Admin Password : <input type=\"password\" name=\"pass\"></p>
    <input type=\"hidden\" value=\"ok\" name=\"action\">
    <input type=\"submit\" value=\"login\">
    </center></form>";
}
else
{
    include ("connection.php");
    $admin = mysql_fetch_array(mysql_query("select * from addd where admin='$_POST[ad]'"));
    if (! empty($admin['admin'])) {
        $pass = md5(md5($_POST['pass']));
        if ($pass == $admin['password']) {
            $_SESSION['auth_ebook_manager'] = $admin['admin'];
            echo "<center>Welcome $admin[admin]</center>    
            <meta http-equiv=\"refresh\" content=\"0; url='admincp.php'\">";
        }
        else
        {
            echo "<center>Error !</center>";
        }
    }
    else 
    {
        echo "<center>Error !</center>";
    }
}





_____________________________


so easily we will create session  from another website that is in the same server using the exploit code


1-first need to upload the exploit file into any web site in the same server
that the target hosted in

2- just execut the exploit file  and copy the ssesion that the exploit genrate its for  you

3- go to  www.xxx.com/admincp.php   and inject the session using any injecter like tamper data or  any other

now you will be loged as admin  




# in case the  web site admin user name is not admin you must  try to change  the name into exploit file