Exploit Title: SQL Injection Vulnerability in Issue Trak <= 7.0 (Possibly applicable up to version 9.7)
Vendor Homepage: http://issuetrak.com
Version: Confirmed 7.0; <= 7.0 extremely likely; up to 9.7 very likely
Google Dork: inurl:”IssueTrak” inurl:”asp”
Discovered By: Chris Anastasio
Raw HTTP Request
POST /IssueTrak/IssueSearch_Process.asp HTTP/1.1
sqlmap -r issueTrakSearchReq.txt –dbms=mssql –level=5 –batch
– “issueTrakSearchReq.txt” should be a plain text file containing the raw HTTP request shown above.
– The “Host” header of the HTTP request should be updated with an IP address that hosts an IssueTrak 7.0 installation.
– A SQL injection vulnerability has been identified in IssueTrak 7.0 which, if successfully exploited, could allow an attacker to access sensitive information in the database.
– Authentication is generally required in order to hit this endpoint. If a non SQL injection request is made the reuslt is a redirect to the login page. However, it seems that on the back end, this request touches the database even without authentication, making it exploitable from a pre-authentication vantage point.
– IssueTrak 7.0 was released in 2006
2018-05-18: Initial vendor contact
2018-05-21: Vendor implies that this version of IssueTrak is no longer supported. Also states that releases starting with 9.7 the application does not suffer from thsi vulnerability
2016-05-28: PoC details published
Illumant has conducted thousands of security assessment and compliance engagements, helping over 800 clients protect themselves from cyber-attacks. Through meticulous manual analysis, Illumant helps companies navigate the security and threat landscape to become more secure, less of a target, and more compliant. For more information, visit https://illumant.com/