Posted by: notIA 1 year, 5 months ago
What is TestLink?
Is a web-based test management system that facilitates software quality assurance. It is developed and maintained by Teamtest. The platform offers support for test cases, test suites, test plans, test projects and user management, as well as various reports and statistics.
Features
- User roles and management
- Grouping of test cases in test specifications
- Test plans
- Platforms
- Requirements with versioning and revisioning
- Support for testing different builds of the software
- Reports, charts and monitors
- Customization of the user interface using Smarty Templates
- Integration with LDAP
- Integration with other software using a provided API
- Bug tracking system integration (Mantis, Jira and others)
Vendor: https://testlink.org/
Look at the source!
In order to check the authorization mechanism, we search in code the session_start() assignment
We note the function "testLinkInitPage" and its arguments, catches our attention the arguments "dontCheckSession" and "userRightsCheckFunction",
then we search for TestLinkInitPage with his third argument setting as true, because we don't wanna to check our session (LOL we don't have)
Its seems that the files "attachmentdownload.php", "lnl.php" and "execPrint.php" don't check the user session, reading in deep on functions in these files,
we keep the file "attachmentdownload.php", let's see
It's assing id (of attachment), and skipcheck as variables directly from users requests, and no check users session, so we try to pass these values to construct a request to
"http://HOST/lib/attachments/attachmentdownload.php?id=1&skipCheck=1" on our lab:
on real pentester day's:
Really a bug?
not really by the vendor, because that:
but for pentester's life is a good point.
SPOILER
"http://HOST/lib/attachments/attachmentdownload.php?id=ITERATE_THIS_ID&skipCheck=1"Share on Twitter Share on Facebook
Recent Posts
- Writer Thread - Python
- Unauthorized File Download (Attached files) - TestLink (1.16 <= 1.19)
- (Des)Implementacion AES GCM + RSA OAEP - Hybrid Encryption - Python
- (Impacket) LiExec.py - bypass PTH/SMBexec/PSexec/WMIexec detection
- Erase Windows Audit logs
Archive
2021
2020
Categories
- ciphers (1)
- javascript (1)
- linux (1)
- nodejs (1)
- passthehash (1)
- pentest (3)
- php (1)
- powershell (1)
- psexec (1)
- pth (1)
- python (4)
- tips (2)
- web (2)
- windows (3)
Tags
- socks (1)
- python (4)
- reverse (1)
- RAT (1)
- cmd (1)
- powershell (2)
- windows (2)
- logs (1)
- auditlogs (1)
- deletelogs (1)
- eventviewer (1)
- eventvwr (1)
- cleanlogs (1)
- pth (1)
- pass-the-hash (1)
- passthehash (1)
- smbexec (1)
- wmiexec (1)
- psexec (1)
- impacket (1)
- nodejs (1)
- js (1)
- aes-gcm (1)
- aes (1)
- rsa (1)
- aes encryption (1)
- hybrid-encryption (1)
- hybrid (1)
- cipher (1)
- php (1)
- testlink (1)
- unauthorized (1)
- file download (1)
- mantis (1)
- test link (1)
- write thread (1)
- python thread (1)
- write (1)
- write to file (1)
- write python (1)
- thread write (1)
Authors
- notIA (6)
Comments
There are currently no comments
New Comment