[*] :: Title: OwnDrive & File CMS v1.0 WebShell Upload & Stored XSS Injection
[*] :: Author: QUIXSS
[*] :: Date: 2019-05-15
[*] :: Software: OwnDrive & File CMS v1.0
[?] :: Technical Details & Description:
# Weak security measures like no input fields data filtering and .PHP files upload has been discovered in the «OwnDrive & File CMS» web-application, current version is 1.0.
[?] :: Demo Website:
# Backend (admin): http://owndrive.rudleobulksms.in/index.php/login
# Login/Password (admin): admin/admin
[!] :: Special Note:
# Some PHP files are automatically deleted after ~2 seconds. If this is a «security measure», then it's really easy to bypass by using any PHP obfuscator (most of webshells already have this option by default).
[!] :: For developers:
# Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients.
[+] :: PoC [Links]:
[+] :: PoC #1 [WebShell Upload]:
# Authorize on the demo website for tests: http://owndrive.rudleobulksms.in/index.php/login (login/password is admin/admin). Then go to the «Own Drive» page http://owndrive.rudleobulksms.in/index.php/own_drive and upload your PHP file (pay attention to the «Special Note»).
[+] :: PoC #2 [Stored XSS Injection]:
# Authorize on the demo website for tests: http://owndrive.rudleobulksms.in/index.php/login (login/password is admin/admin). Then go to the «User Department» page http://owndrive.rudleobulksms.in/index.php/users_group and edit any existed group or create a new one. «User group name» input field is vulnerable for Stored XSS Injection, so feel free to use your payload and save the data.
# Sample payload #1: "><script>alert('QUIXSS')</script>
# Sample payload #2: "><script>location='https://twitter.com/quixss';</script>