Trape 2.0 SQLi and stored XSS
Trung Nguyen
| CyStack Advisory ID | CSA-2019-02 |
|---|---|
| CVE IDs | CVE-2019-13488, CVE-2019-13489 |
| Severity | Medium |
Trape is an OSINT analysis and research tool, which allows people to track and execute intelligent social engineering attacks in real time. It is a quite popular project, with 4k stars on Github, and a presentation at Black Hat Asia 2018. Recently, I have discovered 2 security vulnerabilities within this project. In this article, I will describe how I found these vulnerabilities, and consequently got 2 new CVEs assigned.
First bug: Stored XSS
Trape uses many AJAX requests on the admin client. What’s interesting is how this client processes data returned from server after these AJAX requests. Reading the code at static/js/trape.js, we see that Trape manually create HTML tags from the returned data, which attackers can partially control. The final HTML string is added to the DOM through a call to Jquery’s prepend method. The prepend method is vulnerable to XSS attack, providing that attackers can control the value of the HTML argument.
As the jQuery document says:
By design, any jQuery constructor or method that accepts an HTML string — jQuery(), .append(), .after(), etc. — can potentially execute code. This can occur by injection of script tags or use of HTML attributes that execute code (for example,
<img onload="">). Do not use these methods to insert strings obtained from untrusted sources such as URL query parameters, cookies, or form inputs. Doing so can introduce cross-site-scripting (XSS) vulnerabilities. Remove or escape any user input before adding content to the document.
To summarize, attacker-controlled inputs are reflected back to admin client without going through filtering. Running XSS attacks is then straight forward. The author has created a Proof of Concept with a simple <script>alert(1)</script> payload on Github.
This vulnerability has been assigned CVE-2019-13488.
Second bug: Blind SQL Injection
Being a phishing framework, Trape collects users’ data such as IP addresses, user agent strings, etc. and save these data in a SQLite database. Looking through the code at core/db.py, we see that Trape use parameterized queries to defend against SQL injection. However, not every variable is escaped correctly. The vulnerability is in line 128:
elif type == 'update_battery':
return ("UPDATE victims_battery SET " + data[2] + " = ? WHERE id = ?" , (data[1], data[0]))
The data[2] variable is manually concatenated to form a SQL query. Since no output is reflected back to the attacker, this bug creates a blind SQL injection vulnerability. Attacker can detect if an injected query returns true or false by using SQLite randomblob(1000000000). Then, attacker can potentially view or alter sensitive records stored in the database.
This vulnerability has been assigned CVE-2019-13489.
