Since Jonteh removed his main post in his thread, i thought i'd re-upload for you guys, seen as its a decent CMS.
Features:
Login
Quick Register
News System
User Profile
Account
Password
Badge Shop
Staff
PayPal IPN
VIP
Screenshots
Spoiler:
SQL Queries
DownloadCode:DROP TABLE IF EXISTS `hk_fuses`; CREATE TABLE `hk_fuses` ( `fuse` varchar(50) NOT NULL, `minrank` int(11) NOT NULL DEFAULT '1' ) ENGINE=MyISAM DEFAULT CHARSET=utf8; INSERT INTO `hk_fuses` VALUES ('login', '9'); INSERT INTO `hk_fuses` VALUES ('site_manage', '11'); INSERT INTO `hk_fuses` VALUES ('pornban', '11'); INSERT INTO `hk_fuses` VALUES ('adv_edit', '11'); DROP TABLE IF EXISTS `profile_wall`; CREATE TABLE `profile_wall` ( `id` int(11) NOT NULL AUTO_INCREMENT, `page_id` int(11) NOT NULL, `poster_id` int(11) NOT NULL, `message` text NOT NULL, `likes` int(11) NOT NULL DEFAULT '0', `owner_read` enum('0','1') NOT NULL DEFAULT '0', PRIMARY KEY (`id`) ) ENGINE=MyISAM AUTO_INCREMENT=1343 DEFAULT CHARSET=latin1; DROP TABLE IF EXISTS `site_hotcampaigns`; CREATE TABLE `site_hotcampaigns` ( `id` int(11) NOT NULL AUTO_INCREMENT, `order_id` int(11) NOT NULL DEFAULT '1', `enabled` enum('0','1') NOT NULL DEFAULT '1', `image_url` text NOT NULL, `caption` text NOT NULL, `descr` text NOT NULL, `url` text NOT NULL, PRIMARY KEY (`id`) ) ENGINE=MyISAM AUTO_INCREMENT=3 DEFAULT CHARSET=latin1; DROP TABLE IF EXISTS `site_news`; CREATE TABLE `site_news` ( `id` int(10) unsigned NOT NULL AUTO_INCREMENT, `seo_link` varchar(120) NOT NULL DEFAULT 'news-article', `title` text NOT NULL, `category_id` int(10) unsigned NOT NULL DEFAULT '1', `topstory_image` text NOT NULL, `body` text NOT NULL, `snippet` text NOT NULL, `datestr` varchar(50) NOT NULL, `timestamp` int(11) NOT NULL, PRIMARY KEY (`id`), KEY `datestr` (`datestr`) USING BTREE ) ENGINE=MyISAM AUTO_INCREMENT=512 DEFAULT CHARSET=latin1; DROP TABLE IF EXISTS `badge_shop`; CREATE TABLE `badge_shop` ( `badge_id` varchar(12) NOT NULL, `cost` int(100) NOT NULL, KEY `badge_id` (`badge_id`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8; ALTER TABLE `users` ADD `position` VARCHAR(30) NOT NULL; ALTER TABLE `users` ADD `acc_pornbanned` ENUM('0','1') NOT NULL DEFAULT '0';
https://github.com/Clawed/Illumina/archive/master.zip
Credits:
Johteh
Clawed, thanks for re-releasing, this CMS might become handy for many peoples! :)
You have to be fucking kidding me man, this is not decent at all. I'll post this now so you all know what we were doing to fuck your hotels over.
In IlluminaCMS Jonty was stupid enough to do things like this:
admin/index.php
client.phpPHP Code:
if(!isLogged()) {
header ("Location: login.php");
}
The top one is for the housekeeping and the bottom one is for bypassing the staff pin.PHP Code:
else if($light->pin_enabled == true && !isset($_SESSION["Pincode_Passed"]) && $users->userVar(USERNAME, 'rank') >= 6) {
header ("Location: " . WWW . "/client_denied");
}
What does this mean, you ask? After the 302 redirect is sent to the browser there is no exit; which
means that should you for whatever reason disable 302 redirects in your browser the page in question whether it be client.php or admin/index.php will continue loading which obviously bypasses any protections such as housekeeping login and client staff pin.
--
Obviously this was a mistake on Jonty's part and when you look through the CMS you can see that he has not terminated the script at any location where there is a 302 redirect (that I have seen) and you can bypass things such as maintenance and bans.
Thanks from Hejula and Delici0us (mastermind)...
Fixed Version: In a minute...
https://mega.co.nz/#!UkJgBSiR!AKCZSx...ifLuHuoULw0EcM
https://copy.com/9igtpfiyGfZ3
http://www.mediafire.com/?dnd7xke5bp83s2e
http://www.multiupload.nl/WOMZ638SGU
Last edited by Hejula; 30-05-13 at 05:00 PM. Reason: Download links for fixed version
-removed-
Multiupload.nl - upload your files to multiple file hosting sites!
List of discovered vulnerable hotels:
- zaphotel.net / zaphotel.ca - Fixed (hk moved/removed)
- dub.cm - Fixed (hk moved/removed)
- habboon.com - Fixed (hk moved/removed)
- habbohotel.biz - Fixed (hk moved/removed)
- habball.co.uk - Fixed (hk moved/removed)
- legithotel.org - Not Fixed
- trickhotel.net - Fixed (hk moved/removed)
- bamhotel.in - Fixed (hk moved/removed)
- habbx-hotel.com - Not Fixed
- techhotel.co.uk - Fixed (hk moved/removed)
- hydro-hotel.com - Fixed (hk moved/removed)
- ********** - Fixed (hk moved/removed)
- habjam.com - Fixed (properly)
- zabbo.bz - Fixed (500 error)
- live-hotel.net - Fixed (hk moved/removed)
- bobba.pro - Fixed (hk moved/removed)
- habboland.net -Fixed (properly)
- legionhotel.com - Not Fixed
They are all the ones I could find, the majority are fixed. If you own one of those hotels you should think about applying the patch unless you have already fixed it. If you have fixed it make sure to check the staff pin and maintenance things as explained in post #4.
Btw, if I have put fixed (hk moved/removed) next to the link you will still need to check (hotel owner) that people cannot bypass the staff pin and maintenance/ban pages as explained in post #4.
Last edited by Hejula; 30-05-13 at 05:36 PM.
So basically, what you did was install a chrome addon to ignore the redirect/header and the PHP script would continue to log you in? I have never looked at the source code of this CMS, but I would assume the core (would?) check if you are logged in no? just one page. I kind of understand what you did, but don't at the same time ? Would ignoring header ("Location: login.php"); redirect make the housekeeping continue to load?
Also, mind telling me (for my own purposes of bug/exploit checking on my own projects) what you used to stop redirects/headers from executing ?
Helping those who deserve to be helped.
Just because you can edit 2 lines of PHP code and change a variable does not mean you're a programmer. And just because you can follow a tutorial on how to set up IIS does not make you a server technician or manager.
You'd have thought so, but for whatever reason it doesn't check that the housekeeping session is actually set before letting you in. You simply disable the 302 redirect and the page continues loading.
This for example: Screenshot by Lightshot
We used the addon "NoRedirect" for Firefox to disable redirections. The way we got into the owners accounts was simply by using the "Sign in as a user" function because rather stupidly there is no protection to check that someone is trying to login to an account with a higher rank than theirs.
As you can see from "Welcome, HK_USERNAME" the system knows there is no housekeeping session set but there is nothing to stop the page from loading/script execution if that is the case.
It's kind of sad the community is so trustworthy of people and will use their software without even checking. I see some of the biggest hotels in your list. You would've thought in that position, of having so many members that they would know how to code and make their own CMS instead of relying on ones like this and rev etc...
Personally I would never use a CMS released in this section, they're all too poorly coded and too exploitable. Even though I don't use the CMS thanks for the release. At least it was you who found the exploit and not some one else, in the wrong hands you would've been seeing redirects left right and center, and a hotel owner would've got lots of members and very big, very quickly.
Once again though, big hotels and big names using this software, their user bases, online counts and hotels could've been destroyed by 1 person very quickly. Learn to code and use your own shit. It's fun, free and you get to learn something. Stop using garbage.
Helping those who deserve to be helped.
Just because you can edit 2 lines of PHP code and change a variable does not mean you're a programmer. And just because you can follow a tutorial on how to set up IIS does not make you a server technician or manager.
It's something that happens surprisingly often when it's stupidly easy to fix. For example, if you disable redirects on this
it will echo hi. There are a few ways to deal with this that are really simple.Code:$theCondition = false; if(!$theCondition) { header('Location: /'); } echo 'hi!';
Code:$theCondition = false; if(!$theCondition) { header('Location: /'); exit(); } echo 'hi!';(same as above)Code:$theCondition = false; if(!$theCondition) { header('Location: /'); die(); } echo 'hi!';
Code:$theCondition = false; if(!$theCondition) { header('Location: /'); } else { echo 'hi!'; }Code:$theCondition = false; if($theCondition) { echo 'hi!'; }
I have the normal release of IlluminaCMS from Jonteh and I tried this bypass, but it did not work on my hotel? But I'm still unsure if it's patched or not.
Downloaded NoRedirect for Firefox.
Navigated to http://myhotel.com/admin/index.php?_page=dashboard.
Got redirected to login page.
It might be possible that the plugin doesn't even work..
Giant: Join the best hotel on the net Look at the top.. xD
Hello,
I need a Database for the cms.
Can someone upload please???
You have to configure the plugin to work with the specific website. It only blocks redirection on the websites in the configuration list. There will be documentation for the script somewhere.
I was demonstration Jonty's incompetence :) It's amazing that people are still using his things, and the demonstration that I did merely proves that most hotel owners aren't fit for the job. There was probably only 2 hotels on that list that acted straight away (in terms of fixing the issue) and others simply restored backups and carried on. Something you should never do in the event of a security breach.
It was also closer to 20 hotels and I would have carried on had it not been boring (just to prove a point of course).