Kemana Directory 1.5.6 – kemana_admin_passwd Cookie User Password Hash Disclosure

• Exploit Database
• 9 阅读

• 作者： LiquidWorm
  日期： 2014-03-25
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/32506/

• 
  Kemana Directory 1.5.6 kemana_admin_passwd Cookie User Password Hash Disclosure
  
  
  Vendor: C97net
  Product web page: http://www.c97.net
  Affected version: 1.5.6
  
  Summary: Experience the ultimate directory script solution
  with Kemana. Create your own Yahoo or Dmoz easily with Kemana.
  Unique Kemana's features including: CMS engine based on our
  qEngine, multiple directories support, user friendly administration
  control panel, easy to use custom fields, unsurpassed flexibility.
  
  Desc: Kemana contains a flaw that is due to the 'kemana_admin_passwd'
  cookie storing user password SHA1 hashes. This may allow a remote MitM
  attacker to more easily gain access to password information.
  
  
  Tested on: Apache/2.4.7 (Win32)
   PHP/5.5.6
   MySQL 5.6.14
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2014-5179
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5179.php
  
  
  Dork #1: intitle:powered by c97.net
  Dork #2: intitle:powered by qEngine
  Dork #3: intitle:powered by Kemana.c97.net
  Dork #4: intitle:powered by Cart2.c97.net
  
  
  
  07.03.2014
  
  ---
  
  
  GET /kemana/admin/rev_report.php HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://localhost/kemana/admin/link.php
  Cookie: qvc_value=4e520fb7e28ff76d71800f4329633bc12040101c; kemana_user_id=guest%2Acbb77d83775796bc42f94a97f9905a0d; kemana_admin_id=admin; kemana_admin_passwd=d033e22ae348aeb5660fc2140aec35850c4da997
  Connection: keep-alive