Home / exploits ESite CMS login bypass
Posted on 20 August 2013
<pre># Exploit Title: eSite cms login bypass # Google Dork: intext::"Designed & Programmed by eSite" or inurl:"articlefull.php?id" # Date: 15/8/2013 # Exploit Author: Al-mamon rasool abdali hussain # Vendor Homepage: http://esite-iq.com/ # Version: All esite-iq.com script # Tested on: linux the Vulnerability in login system that chack the ssesion is exist the login code is these ____________________________________ <?php session_start(); if (! empty($_SESSION['auth_ebook_manager'])) { die ("<meta http-equiv="refresh" content="0; url='admincp.php'">"); } if (! isset($_POST['action'])) { echo "<form action="log.php?do=login" method="post"> <center><p>Admin name : <input type="text" name="ad"></p> <p>Admin Password : <input type="password" name="pass"></p> <input type="hidden" value="ok" name="action"> <input type="submit" value="login"> </center></form>"; } else { include ("connection.php"); $admin = mysql_fetch_array(mysql_query("select * from addd where admin='$_POST[ad]'")); if (! empty($admin['admin'])) { $pass = md5(md5($_POST['pass'])); if ($pass == $admin['password']) { $_SESSION['auth_ebook_manager'] = $admin['admin']; echo "<center>Welcome $admin[admin]</center> <meta http-equiv="refresh" content="0; url='admincp.php'">"; } else { echo "<center>Error !</center>"; } } else { echo "<center>Error !</center>"; } } _____________________________ so easily we will create session from another website that is in the same server using the exploit code 1-first need to upload the exploit file into any web site in the same server that the target hosted in 2- just execut the exploit file and copy the ssesion that the exploit genrate its for you 3- go to www.xxx.com/admincp.php and inject the session using any injecter like tamper data or any other now you will be loged as admin # in case the web site admin user name is not admin you must try to change the name into exploit file </pre>
