来源:自学PHP网 时间:2015-04-17 13:03 作者: 阅读:次
[导读] 标题: Multiple SQL injections in rivettracker =1.03作者: Ali Raheem下载地址: http://www.rivetcode.com/software/rivettracker/版本: =1.03测试平台: Linux guruplug-debian 3.1.7 #2 PRE......
标题: Multiple SQL injections in rivettracker <=1.03
作者: Ali Raheem 下载地址: http://www.rivetcode.com/software/rivettracker/ 版本: <=1.03 测试平台: Linux guruplug-debian 3.1.7 #2 PREEMPT Tue Jan 3 20:19:54 MST 2012 armv5tel GNU/Linux # Greets: spyware, dividead RivetTracker is a php base torrent tracker. Though rivettracker is largely designed for a trusted user environment it does have 3 levels of access. Admin (add&delete torrents), uploader and unauthenticated (if $hiddentracker == false). However, vulnerable files such as torrent_functions.php can always be accessed by anyone since there is no $hiddentracker check (epic fail). Despite this high level of access few inputs are sanities and lines like this: $query = "SELECT filename FROM ".$prefix."namemap WHERE info_hash = '" . $_GET['hash'] . "'"; Found in dltorrent.php (which can be accessed by any one if hiddentracker is false) is unforgivable. The only check performed is to insure $_GET['hash'] is 40 chars long. We can defeat this simply with padding with 0's if poison null bytes are not patched we can force the SQL query to return the filename of a file we want to view and download it. path_to_rivettracker/dltorrent.php?hash=00000' UNION ALL SELECT '../config.php\0 With the PNB patch on php version >=5.3.4 (and backports) we still have arbitary SQL queries but no config.php. config.php contains passwords and usernames for admin, user and mysql database. Other files have unsanitised inputs such as torrent_functions.php, here we have no checks! Further more $hiddentracker isn't even checked! And anyone has access to this file and can run SQL commands via post. Here's my testbench for torrent_functions.php ali@Ali-PC:~$ cat test.htm <form action="http://www.2cto.com /rivettracker/torrent_functions.php" method="POST"> <input type="test" name="hash" size="100"/> <input type="submit"/> </form> Depending on the privs of the database user you can raise all kinds of hell (shell creation and arbitrary code execution.) Enjoy. |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com