Hack the Hackers and Track the Trackers: CVE-2017-17713 and CVE-2017-17714 – Multiple SQL Injections and XSS Vulnerabilities found in the Hackers tracking tool “Trape” from “Boxug”

[-] About the Tool:

Trape is a recognition tool that allows you to track people, the information you can get is very detailed. We want to teach the world through this, as large Internet companies could monitor you, obtaining information beyond your IP.

[-] Tool Benefits:

One of its most enticing functions is the remote recognition of sessions. You can know where a person has logged in, remotely. This occurs through a Bypass made to the Same Origin Policy (SOP)
Currently you can try everything from a web interface. (The console, becomes a preview of the logs and actions)
Registration of victims, requests among other data are obtained in real time.

If you get more information from a person behind a computer, you can generate a more direct and sophisticated attack. Trape was used at some point to track down criminals and know their behavior.
You can do real time phishing attacks
Simple hooking attacks
Mapping
Important details of the objective
Capturing credentials
Open Source Intelligence (OSINT)

[-] Tool URL(s):
https://github.com/boxug/trape

[-] Vulnerability Type:
Multiple SQL Injections and POST-based Cross Site Scripting vulnerabilities

[-] Impact and more info:

https://www.owasp.org/index.php/SQL_Injection

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

[-] Version(s) affected:
Community and Professional version before “05-11-2017”

[-] Trape before “05-11-2017” SQLi and XSS Vulnerable Module(s)/Parameter(s)/Path(s):
[Tool_Base_URL]/nr [red parameter]
[Tool_Base_URL]/nr [vId parameter]
[Tool_Base_URL]/register [User-Agent HTTP header]
[Tool_Base_URL]/register [country parameter]
[Tool_Base_URL]/register [countryCode parameter]
[Tool_Base_URL]/register [cpu parameter]
[Tool_Base_URL]/register [isp parameter]
[Tool_Base_URL]/register [lat parameter]
[Tool_Base_URL]/register [lon parameter]
[Tool_Base_URL]/register [org parameter]
[Tool_Base_URL]/register [query parameter]
[Tool_Base_URL]/register [region parameter]
[Tool_Base_URL]/register [regionName parameter]
[Tool_Base_URL]/register [timezone parameter]
[Tool_Base_URL]/register [vId parameter]
[Tool_Base_URL]/register [zip parameter]
[Tool_Base_URL]/tping [id parameter]

[-] Proof of concept Video(s):

1. Boxug/Trape (SQL Injection and taking over the hacker’s SQLite Tracking database PoC) – Part 1
https://www.youtube.com/watch?v=RWw1UTeZee8

2. Boxug/Trape (SQL Injection & XSS and taking over the hacker’s SQLite Tracking database PoC) – Part 2
https://www.youtube.com/watch?v=Txp6IwR24jY

3. Boxug/Trape (SQL Injection and taking over the hacker’s SQLite Tracking database PoC) – Part 3
https://www.youtube.com/watch?v=efmvL235S-8

[-] Fixing Commit:
https://github.com/boxug/trape/commit/628149159ba25adbfc29a3ae1d4b10c7eb936dd3

[-] Disclaimer:
This bug is subject to Seekurity SAS de C.V. responsible disclosure rules which is a 90-day-disclosure-deadline. After 90 days elapse or a patch has been made broadly available, the bug details will become visible to the public through our official communication channels.

 

 

A minute if you please!

Building a website, an application or any kind of business? Or already have one? Worried about your security? Think twice before going public and let us protect your business!

 

 

(Visited 3,431 times, 4 visits today)
Share