Affects:tbdev-01-01-08
download:http://sourceforge.net/projects/tbdevnet/
tbdev is the most popular private torrent network codebase with ~67,000 downloads from sf.net
installations of tbdev can be found here: http://www.btracs.com/
I like this exploit for a number of reasons.
For one this attack is chaining together a number of flaws. In fact you can hit a four chain attack against this application alone using this exploit.
reflective xss->csrf->stored xss->hijacking all immortal session tokens
Using the stored XSS you can conduct further attacks against the client. Such as my CSRF attacks against Azurues and uTorrent.
I wrote this exploit in javascript and i'm using a reflective xss flaw to execute the POST CSRF so an http server is not required to conduct this attack.
How To:
All you need to do is provide the exploit with a URL of the TBDev that you are attacking and the javascript you would like to run on its index.php.
The final step is to get the administrator to click on the link generated.
If you are a member, then the administrator for TBDev *should* always be accessible by this url:
http://localhost/userdetails.php?id=1
If not make sure their class is 'sysop'
If you are not a member you can hijack an immortal session id by getting a member to click on the redir.php reflective xss flaw
You could try emailing or sending a personal message to the administrator with a message like:
I think there is a bug on your site. This page just doesn't look right:
http://localhost/redir.php?url=xss
The generated link used here is pointing to the vitims site, which makes the social enginering attack more poweful.
To fix the site you have to login to the SQL server and delete the poisoned news article manually. TBDev will be broken and cannot be used to cleanup the attack.
Tested on IE and Firefox against a Ubuntu LAMP install.
generated attack:
size:(The attack is sent via GET so try and keep this number low.)