Listen to this Post
The vulnerability in TorrentPier’s `modcp.php` is an authenticated SQL Injection caused by the unsafe incorporation of user input into an SQL query. The script takes the `topic_id` parameter (t) directly from a GET request without sanitization. This value is then concatenated directly into the SQL query string within the `WHERE` clause (WHERE t.topic_id = $topic_id). Because the input is not validated or parameterized, an attacker with moderator permissions can supply a malicious payload for the `t` parameter. This payload terminates the intended SQL query and appends new, malicious SQL commands, such as a `SLEEP()` function for time-based data exfiltration. The database executes this manipulated query, allowing the attacker to read, modify, or delete any data within the database.
Platform: TorrentPier
Version: <= 2.3.6
Vulnerability: SQL Injection
Severity: Critical
date: 2024-10-15
Prediction: Patch expected 2024-10-29
What Undercode Say:
sqlmap -u "https://target/modcp.php?mode=lock&t=1" -p t --cookie "key=value" --dbms mysql --technique T --current-db
$sql = "SELECT ... WHERE t.topic_id = $topic_id ...";
How Exploit:
Malicious moderator account.
Crafted `topic_id` parameter.
Time-based blind extraction.
Protection from this CVE:
Use prepared statements.
Input validation.
Update to patched version.
Impact:
Full database compromise.
Privilege escalation.
Data destruction.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
