0x00 background
PT is the abbreviation of PrivateTracker (Private seed server). It can collect statistics on user uploads and downloads.
User Sharing rate. You can simply understand it as an upgraded version of BT.
Only when the shared rate is set can the account not be deleted. PT is actually a type of Bt download, but there are two obvious improvements: first, private
Secret for small-scale download. Second, conduct traffic statistics and determine your permissions based on the upload volume. It is required to disable DHT.
Select and control the number of users, so that within a limited range, the downloaded users can basically achieve their own broadband
Limited, PT download is also implemented through the binding mechanism in the Forum and other ways, so that users can download
Upload during the process. (From Baidu encyclopedia)
Take the PT site registered by the author as an example. Since the PT protocol collects statistics on downloads and uploads, there is
The value of the upload ratio. The account level is related to the sharing rate, download volume, and upload volume. Sharing Rate
If it is too low, the block number and other consequences will occur. But is the PT protocol really reliable? Please refer to my analysis here. If the principle is not
If you are interested, Jump directly to 0x03.
0x01 Server Source Code Analysis
At present, most PT sites use nexusphp. The author uses nexusphp. v1.5.beta5.20120707
As an example.
Important data received by the server include passkey, info_hash, port, uploaded, downloaded,
Left, event. The next item is described as follows:
Passkey: uniquely identifies a user.
Info_hash: used to identify the unique value of the current resource
Port: the port connecting the client to the server
Uploaded: Number of uploaded files (unit: byte)
Downloaded: number of downloads (unit: byte)
Left: number of unfinished downloads (unit: byte)
Event: current status (important statuses include stopped, completed, and started)
The server inherits information such as data update and cheating detection, and the corresponding file is./announce. php.
First, let's look at the data update part. Corresponds to lines 231 to 316 of the file. After a series of verifications
Two lines of code:
$ USERUPDATESET [] = "uploaded = uploaded + $ upthis ";
$ USERUPDATESET [] = "downloaded = downloaded + $ truedownthis ";
Lines 3 of the file include:
SQL _query ("UPDATEusersSET". join (",", $ USERUPDATESET). "WHEREid =". $ userid );
After the users table is updated, the upload volume is changed to the sum of the original upload volume and the current upload volume, and the download volume is changed to the original download volume and
The sum of downloads.
Next we will look at the code of the cheating detection part.
The first authentication is USER_AGENT. See announce. php line 6th:
$ Agent = $ _ SERVER ["HTTP_USER_AGENT"];
Block_browser ();
For the block_browser function, see./include/functions_announce.php.
Functionblock_browser ()
{
$ Agent = $ _ SERVER ["HTTP_USER_AGENT"];
If (preg_match ("/^ Mozilla/", $ agent) | preg_match ("/^ Opera/", $ agent) |
Preg_match ("/^ Links/", $ agent) | preg_match ("/^ Lynx/", $ agent ))
Err ("Browseraccessblocked! ");
// Checkheaders
If (function_exists ('getallheaders') {// getallheaders () isonlysupported
WhenPHPisinstalledasanApachemodule
$ Headers = getallheaders ();
// Else
// $ Headers = emu_getallheaders ();
If ($ _ SERVER ["HTTPS"]! = "On ")
{
If (isset ($ headers ["Cookie"]) | isset ($ headers ["Accept-Language"]) |
Isset ($ headers ["Accept-Charset"])
Err ("Anti-Cheater: Youcannotusethisagent ");
}
}
}
The USER_AGENT of several common browsers is disabled, and the Cookie, Accept-Language,
Check the Accept-Charset items. If the HTTP request header contains cookies, Accept-Language,
Accept-Charset.
The second authentication is the port. See announce. php line 35th:
// Checkportandconnectable
If (portblacklisted ($ port ))
Err ("Port $ portisblacklisted .");
The tracking function portblacklisted, in./include/functions_announce.php, restricts the port
Range. However, the $ port variable is obtained through GET and can be forged.
Then, the identity information and seed information are obtained and verified, skipped. The server dynamically maintains the number of peers.
To record the current session information ).
Next is the third verification area, which verifies the announce interval. See announce. php line 163rd:
// Minannouncetime
If (isset ($ self) & $ self ['prevts']> (TIMENOW-$ announce_wait ))
Err ('thereisaminimumannouncetimeof '. $ announce_wait. 'seconds ');
$ Announce_wait is defined in row 100th, $ announce_wait
It can be less than 30 seconds. $ Self is the content in the peer table.
The fourth verification is in announce. php 219th and 220 rows:
= 30. That is, the announce interval is no.
$ Upthis = $ trueupthis = max (0, $ uploaded-$ self ["uploaded"]);
$ Downthis = $ truedownthis = max (0, $ downloaded-$ self ["downloaded"]);
$ Self ["uploaded"] and $ self ["downloaded"] are the content in the peer table, $ uploaded
And
$ Downloaded is the data obtained by GET on the server. The two rows are considered in the session of the current activity,
The values of $ uploaded and $ downloaded must be constantly increased.
Next is an important verification step, the check_cheater function. This function is in ./
Include/functions_announce.php.
Note writing in the check_cheater function is clear, essentially determining the upload speed under different circumstances. In the default
At the security level, if the upload speed is greater than 100 MByte/S, the system will automatically
Disable your account. Then, if you upload 1 GB at MByte/S speed, you may be cheating. If
If the administrator sets a higher security level, the current number of downloading peers is checked. If the number of downloading peers is large
If you upload at a high speed, you may cheat. Possible cheating situations, such
If the cheater table does not have your record within 24 hours, a new record will be added. If there is already a record, it will be recorded.
The number of hit will increase by 1.
This function only checks the upload-related parameters and does not check the download status. Therefore, we can forge downloads or
No downloads are generated.
The code for cheating detection is almost complete. Finally, let's look at the values related to the current status (event.
Stopped is equivalent to the status when you exit the client, stop downloading, stop seeding, and the system extracts your information from the peer table.
.
Completed indicates that the current seed has been downloaded. You can see it in the seed state. If Completed is not sent
It indicates that the file is still being downloaded or deleted, and the file is in the "unfinished" status.
0x02 client packet capture Verification
The author uses uTorrent3.1.3 for testing.
First, set a proxy in uTorrent to use brup to facilitate packet capture. We only need
Host name query uses a proxy to capture data packets when connecting to the server.
Download the seed and load it. The tracker list is displayed in the advanced options. The file corresponding to tracker is
The server script in 0x01.
Click OK to start downloading and use brup to capture packets.
The first package is sent to scrape. php In GET mode. The file determines whether the seed exists.
GET
/Scrape. php? Passkey = xxx & info_hash = % d5 % bb % 80% 2a % c3v % ac % 3d % 5e % 01% 90% 7fu % 9c % a4 % bc %
AfK7 % 81 & info_hash = % 12% 3f % PC3 % a5 % 8c5M % d7 % 9e % 1b % 40Q % cb % 2a % 14% bf % a7 % f09HTTP/1.1
Host: xxx
User-Agent: uTorrent/3130 (27385)
Accept-Encoding: gzip
Connection: Close
Then, the second packet is sent when the resource exists. The packet is sent to announce. php, that is, the server master script.
Future packets are sent to announce. php. The seed status is incomplete on the website.
GET
/Announce. php? Passkey = xxx & info_hash = % d5 % bb % 80% 2a % c3v % ac % 3d % 5e % 01% 90% 7fu % 9c % a4 % B
C % afK7 % 81 & peer_id =-UT3130-% f9j % b7J % 24% e6 % b9 % 85% 9a % d1zv & port = 41677 & uploaded = 0 & do
Wnloaded = 0 & left = 137201853.
& Corrupt = 0 & key = 03731F6C & event = started & numwant = 200 & compact = 1 & no_peer_id = 1 & ipv6 = x
XxxHTTP/1.1
Host: xxxx
User-Agent: uTorrent/3130 (27385)
Accept-Encoding: gzip
Connection: Close
From this package, we can see that the status event = started, uploaded = 0, downloaded = 0, left = 137201853.
Let's continue:
GET
/Announce. php? Passkey = xxx & info_hash = % d5 % bb % 80% 2a % c3v % ac % 3d % 5e % 01% 90% 7fu % 9c % a4 % B
C % afK7 % 81 & peer_id =-UT3130-% f9j % b7J % 24% e6 % b9 % 85% 9a % d1zv & port = 41677 & uploaded = 0 & do
Wnloaded = 52953088 & left = 83036349 & corrupt = 0 & key = 03731F6C & numwant = 200 & compact = 1 & no
_ Peer_id = 1 & ipv6-= xxxHTTP/1.1
Host: xxx
User-Agent: uTorrent/3130 (27385)
Accept-Encoding: gzip
Connection: Close
The upload and download information is available this time. Uploaded = 0, downloaded = 52953088, left = 83036349.
After the download is complete, I can see event = completed. The seed status is complete on the website.
GET
/Announce. php? Passkey = xxx & info_hash = % d5 % bb % 80% 2a % c3v % ac % 3d % 5e % 01% 90% 7fu % 9c % a4 % B
C % afK7 % 81 & peer_id =-UT3130-% f9j % b7J % 24% e6 % b9 % 85% 9a % d1zv & port = 41677 & uploaded = 0 & do
Wnloaded = 137201853 & left = 0 & corrupt = 0 & key = 03731F6C & event = completed & numwant = 200 & co
Mpact = 1 & no_peer_id = 1 & ipv6 = xxxHTTP/1.1
Host: xxx
User-Agent: uTorrent/3130 (27385)
Accept-Encoding: gzip
Connection: Close
When you exit the uTorrent client, the following packet is sent:
GET
/Announce. php? Passkey = xxx & info_hash = % d5 % bb % 80% 2a % c3v % ac % 3d % 5e % 01% 90% 7fu % 9c % a4 % B
C % afK7 % 81 & peer_id =-UT3130-% f9j % b7J % 24% e6 % b9 % 85% 9a % d1zv & port = 41677 & uploaded = 7438
336 & downloaded = 137201853 & left = 0 & 0000upt = 0 & key = 03731F6C & event = stopped & numwant = 0 &
Compact = 1 & not_peer_id = 1 HTTP/1.1
Host: xxx
User-Agent: uTorrent/3130 (27385)
Accept-Encoding: gzip
Connection: Close
I can see that event =
Stopped.
Let's look at these data packets again, which are characterized by the User-Agent
UTorrent/3130 (27385), no
Cookie, Accept-Language, Accept-Charset, and other information. This is the first verification on the server. Port
The value is within the range allowed by the server. This is the second verification. Compare the packet capture time and find the packet sending frequency before the download is complete
The package sending frequency is 30 minutes after the download is complete, that is, the tracker Update time. This guarantees
You can obtain sufficient peer resources at any time during the download, and the peer can not occupy too many server resources. The third verification was successful. The fourth and last verification are not described here because they cannot be intuitively viewed.
0x03PT protocol vulnerabilities and exploitation
After the above analysis, we can summarize the PT protocol vulnerabilities.
1. The client sends a GET request packet to complete the upload and download information. We can forge it;
2. PT only recognizes passkey. The algorithm used to generate passkey is MD5 (user name + time ).
+ Passhash ). Passkey exists in the downloaded seed. Although it cannot be forged, it can be extracted;
3. Cheating detection only involves the uploaded part, but does not detect the downloaded part, which may allow downloading and downloading;
4. A seed can contain multiple trackers, and the server does not or cannot detect the status.
When the tracker is updated, it will send the same upload download information to all the trackers in the list. In this way
Possible traffic flooding;
5. All information is processed by the tracker. When the database is queried multiple times, CC attacks may occur,
Once successful, the entire server will be unable to work.
The method to exploit the first vulnerability is to manually send data packets, as long as the preceding verification rules are met, that is
Pay attention to the current downloader's
Quantity. The number of current downloadable users can be queried on a specific page. The regular expression matches the information. Due to lack of talent
Not written using tools.
For the second vulnerability, we can ask an uninformed user for a downloaded seed and load it with uTorrent,
Click Advanced to view the tracker information and record its passkey. When you need to download the seeds and don't want to consume yourself in the future
When downloading, you can replace your own seed tracker with the victim's. In this way, when the tracker is updated
The information is the information of the victim, which is included in the downloads of the victim. After the download is complete, restart uTorrent and
Clear the upload information, and change the tracker to your own tracker, so that the upload volume is included in your account.
For the third vulnerability, we can delete the tracker after the tracker updates the peer at the beginning of the download,
In this way, the peer sends the file to itself, and does not send traffic information to the server. After the download is complete, restart
UTorrent: Add tracker to upload, And the upload volume is included in your account. (Use with caution. When the security level is high
Can lead to other people's titles !)
For the fourth vulnerability, the premise is that there are multiple friends or one sister. After downloading a seed in various ways,
Restart uTorrent, add the tracker of the current user and the other user to the tracker list, one person will do the kind, and more people will get it.
Data transfer.
For the fifth vulnerability, it is not explained that CC attacks are illegal.
0x04 postscript
This vulnerability has been detected for a long time and has not been described in detail. After all, the idea of cheating is in conflict with the spirit of sharing.
During this period, I also tried several times, one of which showed off excessively, resulting in banned ip addresses under my account. And then keep a low profile.
Development: Use a proxy to break through the ip address restrictions and silently download and upload resources. If there are no special circumstances, I hope you can
Follow the PT rules normally and enjoy yourself in sharing.
The above method is only used by the Research Institute. If a problem occurs, the consequences are at your own risk. It has nothing to do with the author.