TBDev vulnerabilities ?

Started by TorrentFr33k, October 06, 2014, 10:27:42 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Mindless

#5
Simple rules to follow when dealing with any code and I'll try not to confuse; All inputs all over the code $_POST, $_GET, $_REQUEST are posting straight to a mysql_query, if you do not sanitize the inputs then I can post all sorts of data into your text entry box. If you do not then suppress mysql errors into a log then bingo I can hack your db with ease because each injection I do will reveal more and more about the table im trying to hack.

The mysql errors are hidden into a log from 09 so thats one less concern, anything pre 09 does not unless the site coders done it, all code pre 09 is very suspect because in those days there was no assholes going round hacking, it wasn't a major issue, that soon changed early 2000 on wards when there was spates of Tbdev sites getting taken down, not only Tbdev either for that matter. I spent nearly a year updating all Tbdev mods to decent stadard but probably missed basic stuff so by no means think your safe, prove it yourself by learning how to do it.

So if I know about weak inputs I could break out of the sql statement I'm posting to and then hack your database with ease.

Then enter Xss attacks which are deployed using various methods, could be a script embedded on a image, you hit it and it redirects you to another server and your cookie could be stolen, again look through the mod sections in here in 09 mods, few security posts and I advise that's the first mods you add to your new code your going to mod up, secure your cookies and secure all post, get inputs on every single file, then make sure every single mysql query has sqlesc applied on all user supplied inputed data

First bad example - nothing sanitizing this post or get, bad shit dudes

Code (php) Select
$action = (isset($_GET["action"]) ? $_GET["action"] : (isset($_POST["action"]) ? $_POST["action"] : ''));

This has to be

Code (php) Select
$action = (isset($_GET["action"]) ? htmlsafechars($_GET["action"]) : (isset($_POST["action"]) ? htmlsafechars($_POST["action"]) : ''));

Or use the new input filter method http://php.net/manual/en/function.filter-input.php.

Next up printing variables to screen, many just print the variable and don't sanitize that either, bad bad move again because that will be open to Xss attacks

Code (php) Select
<a href='{$INSTALLER09['baseurl']}/userdetails.php?id=".$forums_arr["userid"]."'><b>".$forums_arr['username']."</b></a>

Above has a numeric value pulled from db and printed to screen not sanitized, it also pulls username and prints it not sanitized

Code (php) Select
<a href='{$INSTALLER09['baseurl']}/userdetails.php?id=".(int)$forums_arr["userid"]."'><b>".htmlsafechars($forums_arr['username'])."</b></a>

Code (php) Select
(int)$forums_arr["userid"] - its a numeric value so force it to be one using (int) or 0 + or intval

Code (php) Select
".htmlsafechars($forums_arr['username'])."  - string so htmlspecialchars has to be applied.

Querys


Code (php) Select
if (isset($_GET['change_pm_number'])) {
    $change_pm_number = (isset($_GET['change_pm_number']) ? $_GET['change_pm_number'] : 20);
    sql_query('UPDATE users SET pms_per_page = ' . $change_pm_number . ' WHERE id = ' . $CURUSER['id']) or sqlerr(__FILE__, __LINE__);
    $mc1->begin_transaction('user' . $CURUSER['id']);
    $mc1->update_row(false, array(
        'pms_per_page' => $change_pm_number
    ));
    $mc1->commit_transaction($INSTALLER09['expires']['user_cache']);
    $mc1->begin_transaction('MyUser_' . $CURUSER['id']);
    $mc1->update_row(false, array(
        'pms_per_page' => $change_pm_number
    ));
    $mc1->commit_transaction($INSTALLER09['expires']['curuser']);
    if (isset($_GET['edit_mail_boxes'])) header('Location: pm_system.php?action=edit_mailboxes&pm=1');
    else header('Location: pm_system.php?action=view_mailbox&pm=1&box=' . $mailbox);
    die();
}


Above lets you see it - No intval or int or 0+ applied on get and query does not have sqlesc applied to user inputted data so I could pass shit through that into the query and hack in seconds, so below is how it should be - please use this as a reference and use V4 also and go through your codes and secure them, don't give these fucking shite for brains the satisfaction of hacking a site, lets face it if your good at hacking you'd be fucking banks and all sorts, why these disturbed gimps think its funny to take a torrent site down is beyond me, only person likely to do that to you is someone with a chip on their shoulder, disgruntled staff ect, but most cases they aint clever enough and just shout the mouth of, any questions ask and i'll do my best to advise

Code (php) Select
if (isset($_GET['change_pm_number'])) {
    $change_pm_number = (isset($_GET['change_pm_number']) ? intval($_GET['change_pm_number']) : 20);
    sql_query('UPDATE users SET pms_per_page = ' . sqlesc($change_pm_number) . ' WHERE id = ' . sqlesc($CURUSER['id'])) or sqlerr(__FILE__, __LINE__);
    $mc1->begin_transaction('user' . $CURUSER['id']);
    $mc1->update_row(false, array(
        'pms_per_page' => $change_pm_number
    ));
    $mc1->commit_transaction($INSTALLER09['expires']['user_cache']);
    $mc1->begin_transaction('MyUser_' . $CURUSER['id']);
    $mc1->update_row(false, array(
        'pms_per_page' => $change_pm_number
    ));
    $mc1->commit_transaction($INSTALLER09['expires']['curuser']);
    if (isset($_GET['edit_mail_boxes'])) header('Location: pm_system.php?action=edit_mailboxes&pm=1');
    else header('Location: pm_system.php?action=view_mailbox&pm=1&box=' . $mailbox);
    die();
}



denede

yep it has, but with a little work on them it will be ok

DeadlyDesire

#3
english only please

Tundracanine

:lol: every source has vulnerabilities and considering TBDev is older then sin its prob got more holes then anything if people know where to look... U-232 V4 is the latest :lol:
No clue why someone would use an older then sin version. TB-Dev prob uses mysql and not mysqli so thats another hole cause you cant use the latest php 5.5 without turning off some warnings cause mysql support is leaving in php 5.5+...
If wanting support help please put bare min info like
Os:
U-232 Version:
Php Version:
Tracker type: like xbt or php
Saves on asking more questions just so people can help someone.

TorrentFr33k

Hello @ all,

has the TBDev 09 source from the download section nor any vulnerabilities? Or you can use this source without problems as the basis for what your own?