Unwanted promotion.
UPDATE: I’ve patched this exploit using my newly acquired admin powers. It will no longer work. So don’t waste your time! ;p
There’s another section on this site, where users can upload their music to promote it.
On the front page of the forum, there are the top 5 songs of the month. (The 5 most played songs).
In the user CP, there’s a form where you can upload your MP3, and add a title, album, and track number. And yet again, the user input wasn’t being escaped at all. I figured this out quickly by only entering a single quote into one of the fields, and receiving this error:
Invalid SQL:
UPDATE profile_audio SET title = ''', album = '',tracknumber = '00' WHERE audioid = 'xxx';
Great! Again we have full write/UPDATE access to the whole “profile_audio” table. Now how to make use of this?
Remember I have full admin rights? So I went to the admin CP to see if I was able to find useful information about the audio table. It didn’t take me long to find a list of all uploaded MP3s, including their information. There was one column called “Views per month”, and it took me about 3 guesses to find out that the actual field name in the database was “viewsmonth”.
Now let’s try to update this value using the exploit.
The user input was limited to 30, but yet again on the client-side only. I opened my best friend Firebug and removed this: maxlength=”30”
UPDATE `profile_audio`
SET title='', `viewsmonth` = 5000
WHERE `audioid` = xxx
Yes, it’s that easy. Now my song is on the front page, and first in the list. But that’s not all. This exploit would also allow me to inject JavaScript into the front page, as explained here.
If I had malicious intentions, I could really mess things up now.
About Me
I search the web for exploits, and post things I probably shouldn't post.
