Advisories

Trape 2.0 SQLi and stored XSS

CyStack image

Trung Nguyen

CEO @CyStack|April 5, 2023
Trape 2.0 SQLi and stored XSS

CyStack Advisory ID CSA-2019-02
CVE IDs CVE-2019-13488, CVE-2019-13489
Severity Medium

Trape is an OSINT analysis and research tool, which allows people to track and execute intelligent social engineering attacks in real time. It is a quite popular project, with 4k stars on Github, and a presentation at Black Hat Asia 2018. Recently, I have discovered 2 security vulnerabilities within this project. In this article, I will describe how I found these vulnerabilities, and consequently got 2 new CVEs assigned.

First bug: Stored XSS

Trape uses many AJAX requests on the admin client. What’s interesting is how this client processes data returned from server after these AJAX requests. Reading the code at static/js/trape.js, we see that Trape manually create HTML tags from the returned data, which attackers can partially control. The final HTML string is added to the DOM through a call to Jquery’s prepend method. The prepend method is vulnerable to XSS attack, providing that attackers can control the value of the HTML argument.
As the jQuery document says:

By design, any jQuery constructor or method that accepts an HTML string — jQuery(), .append(), .after(), etc. — can potentially execute code. This can occur by injection of script tags or use of HTML attributes that execute code (for example, <img onload="">). Do not use these methods to insert strings obtained from untrusted sources such as URL query parameters, cookies, or form inputs. Doing so can introduce cross-site-scripting (XSS) vulnerabilities. Remove or escape any user input before adding content to the document.

To summarize, attacker-controlled inputs are reflected back to admin client without going through filtering. Running XSS attacks is then straight forward. The author has created a Proof of Concept with a simple <script>alert(1)</script> payload on Github.

This vulnerability has been assigned CVE-2019-13488.

Second bug: Blind SQL Injection

Being a phishing framework, Trape collects users’ data such as IP addresses, user agent strings, etc. and save these data in a SQLite database. Looking through the code at core/db.py, we see that Trape use parameterized queries to defend against SQL injection. However, not every variable is escaped correctly. The vulnerability is in line 128:

elif type == 'update_battery':
            return ("UPDATE victims_battery SET " + data[2] + " = ? WHERE id = ?" , (data[1], data[0]))

The data[2] variable is manually concatenated to form a SQL query. Since no output is reflected back to the attacker, this bug creates a blind SQL injection vulnerability. Attacker can detect if an injected query returns true or false by using SQLite randomblob(1000000000). Then, attacker can potentially view or alter sensitive records stored in the database.

This vulnerability has been assigned CVE-2019-13489.

Related posts

Stored XSS leads to account takeover in Flarum
Stored XSS leads to account takeover in Flarum
November 19 2022|Advisories

CyStack Advisory ID CSA-2022-01 CVE IDs CVE-2022-41938 Severity Critical CVSS v3 Base 9.0 Synopsis CyStack’s researchers recently discovered a Stored XSS vulnerability in the Flarum platform version 1.5.0 to 1.6.1 which can lead to an account takeover attack. Flarum is a widely used simple and open-source forum platform. At the time of this post, we […]

Cyclos &lt; 4.14.15 &#8211; Remote code execution
Cyclos < 4.14.15 – Remote code execution
June 24 2022|Advisories

CyStack Advisory ID CSA-2021-01 CVE IDs CVE-2021-44832 Severity Critical CVSS v3 Base 10.0 Synopsis Cyclos is a payment software created for banks, barters, remittances, and innovative currency systems. Cyclos is used by more than 1500 payment systems worldwide. CyStack recently found that Cyclos versions prior to 4.14.15 are vulnerable to the remote code execution vulnerability. […]

macOS Rootkit Emulation
macOS Rootkit Emulation
June 24 2022|Advisories

Kernel rootkit is considered the most dangerous malware that may infect computers. Operating at ring 0, the highest privilege level in the system, this super malware has unrestricted power to control the whole machine, thus can defeat all the defensive and monitoring mechanisms. Unfortunately, dynamic analysis solutions for kernel rootkits are severely lacking; indeed, most […]