''' ________ __ ____ |\/|/ __ \ /\| || |_ \ | \/ | || | /\ | || | |_) | | |\/| | || |/ /\ \| || |_ < | || | |__| / ____ \ |__| | |_) | |_||_|\____/_/\_\____/|____/ ''' Abysssec Inc Public Advisory Title:IfNuke Multiple Remote Vulnerabilities Affected Version :IfNuke 4.0.0 Discovery:www.abysssec.com Vendor :http://www.ifsoft.net/default.aspx Demo :http://www.ifsoft.net/default.aspx?portalName=demo Download Links :http://ifnuke.codeplex.com/ Admin Page :http://Example.com/Login.aspx?PortalName=_default Description : =========================================================================================== This version of IfNuke have Multiple Valnerabilities : 1- arbitrary Upload file 2- Persistent XSS arbitrary Upload file =========================================================================================== using this vulnerability you can upload any file with this two ways: 1- http://Example.com/Modules/PreDefinition/PhotoUpload.aspx?AlbumId=1 (the value of AlbumId is necessary) your files will be in this path: http://Example.com/Users/Albums/ with this format (for example): Shell.aspx ---> img_634150553723437500.aspx That 634150553723437500 value is DateTime.Now.Ticks.ToString() and will be built in this file : http://Example.com/Modules/PreDefinition/PhotoUpload.ascx.cs Ln 102 : fileName = "img_" + DateTime.Now.Ticks.ToString() + "." + GetFileExt(userPostedFile.FileName); it's possible to do same thing here : 2- http://Example.com/modules/PreDefinition/VideoUpload.aspx and the same vulnerable code is located here : http://Example.com/Modules/PreDefinition/VideoUpload.ascx.cs Ln 39 : string createdTime = DateTime.Now.ToString("yyyyMMddHHmmssffff"); string newFileNameWithoutExtension = Path.GetFileNameWithoutExtension(fileName) + "_" + createdTime; string uploadFilePath = Server.MapPath(VideoHelper.GetVideoUploadDirectory(CurrentUser.Name) + newFileNameWithoutExtension + Path.GetExtension(fileName)); Persistent XSS Vulnerabilities: =========================================================================================== In these Modules you can find Persistent XSS that data saves with no sanitization: 1- Module name: Article Fields : Title , Description Valnerable Code: ...\Modules\PreDefinition\Article.ascx.cs ln 106: if (S_Title.Text.Trim() != string.Empty) { parameters.Add("@Title", S_Title.Text.Trim()); parameters.Add("@Description", S_Title.Text.Trim()); parameters.Add("@Tags", S_Title.Text.Trim()); } -------------------------------------------------------------------------------------- 2- Module name: ArticleCategory Field: Name Valnerable Code: ...\Modules\PreDefinition\ArticleCategory.ascx.cs ln 96: entity.Name = ((TextBox)lstSearch.Rows[lstSearch.EditIndex].FindControl("txtCategoryName_E")).Text.Trim(); -------------------------------------------------------------------------------------- 3- Module name: HtmlText Field: Text Valnerable Code: ...\Modules\PreDefinition\HtmlText.ascx.cs ln 66: entity.Content = txtContent.Value.Trim().Replace("//",string.Empty); -------------------------------------------------------------------------------------- 4- Module name: LeaveMessage Fields : NickName , Content Valnerable Code: ...\Modules\PreDefinition\LeaveMessage.ascx.cs ln 55: entity.NickName = txtNickName.Text.Trim(); entity.Content = txtContent.Text.Trim(); -------------------------------------------------------------------------------------- 5- Module name: Link Field: Title Valnerable Code: ...\Modules\PreDefinition\Link.ascx.cs ln 83: entity.Title = ((TextBox)lstSearch.Rows[lstSearch.EditIndex].FindControl("txtTitle_E")).Text.Trim(); -------------------------------------------------------------------------------------- 6- Module name: Photo Field: Title Valnerable Code: ...\Modules\PreDefinition\Photo.ascx.cs ln 280: entity.Title = txtTitle_E.Text.Trim(); ===========================================================================================
体验盒子
