OwnDrive & File CMS v1.0 WebShell Upload & Stored XSS Injection

2019.05.16
ru QUIXSS (RU) ru
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

[*] :: Title: OwnDrive & File CMS v1.0 WebShell Upload & Stored XSS Injection [*] :: Author: QUIXSS [*] :: Date: 2019-05-15 [*] :: Software: OwnDrive & File CMS v1.0 [?] :: Technical Details & Description: # Weak security measures like no input fields data filtering and .PHP files upload has been discovered in the «OwnDrive & File CMS» web-application, current version is 1.0. [?] :: Demo Website: # https://codecanyon.net/item/owndrive-file-cms/22350701 # Backend (admin): http://owndrive.rudleobulksms.in/index.php/login # Login/Password (admin): admin/admin [!] :: Special Note: # Some PHP files are automatically deleted after ~2 seconds. If this is a «security measure», then it's really easy to bypass by using any PHP obfuscator (most of webshells already have this option by default). [!] :: For developers: # Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients. [+] :: PoC [Links]: # http://owndrive.rudleobulksms.in/drive/QUIXSS/quixss.html # http://owndrive.rudleobulksms.in/user_profile/up.php # http://owndrive.rudleobulksms.in/google_drive/up.php # http://owndrive.rudleobulksms.in/drive/QUIXSS/adminer.php # http://owndrive.rudleobulksms.in/drive/QUIXSS/info.php # http://owndrive.rudleobulksms.in/index.php/own_drive_sub/index/QUIXSS [+] :: PoC #1 [WebShell Upload]: # Authorize on the demo website for tests: http://owndrive.rudleobulksms.in/index.php/login (login/password is admin/admin). Then go to the «Own Drive» page http://owndrive.rudleobulksms.in/index.php/own_drive and upload your PHP file (pay attention to the «Special Note»). [+] :: PoC #2 [Stored XSS Injection]: # Authorize on the demo website for tests: http://owndrive.rudleobulksms.in/index.php/login (login/password is admin/admin). Then go to the «User Department» page http://owndrive.rudleobulksms.in/index.php/users_group and edit any existed group or create a new one. «User group name» input field is vulnerable for Stored XSS Injection, so feel free to use your payload and save the data. # Sample payload #1: "><script>alert('QUIXSS')</script> # Sample payload #2: "><script>location='https://twitter.com/quixss';</script>

References:

https://codecanyon.net/item/owndrive-file-cms/22350701
https://twitter.com/quixss


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top