扫码分享
验证:
体验盒子'''
________ __ ____
|\/|/ __ \ /\| || |_ \
| \/ | || | /\ | || | |_) |
| |\/| | || |/ /\ \| || |_ <
| || | |__| / ____ \ |__| | |_) |
|_||_|\____/_/\_\____/|____/
'''
Abysssec Inc Public Advisory
Title:IfNuke Multiple Remote Vulnerabilities
Affected Version :IfNuke 4.0.0
Discovery:www.abysssec.com
Vendor :http://www.ifsoft.net/default.aspx
Demo :http://www.ifsoft.net/default.aspx?portalName=demo
Download Links :http://ifnuke.codeplex.com/
Admin Page :http://Example.com/Login.aspx?PortalName=_default
Description :
===========================================================================================
This version of IfNuke have Multiple Valnerabilities :
1- arbitrary Upload file
2- Persistent XSS
arbitrary Upload file
===========================================================================================
using this vulnerability you can upload any file with this two ways:
1- http://Example.com/Modules/PreDefinition/PhotoUpload.aspx?AlbumId=1 (the value of AlbumId is necessary)
your files will be in this path:
http://Example.com/Users/Albums/
with this format (for example):
Shell.aspx ---> img_634150553723437500.aspx
That 634150553723437500 value is DateTime.Now.Ticks.ToString() and will be built in this file :
http://Example.com/Modules/PreDefinition/PhotoUpload.ascx.cs
Ln 102 : fileName = "img_" + DateTime.Now.Ticks.ToString() + "." + GetFileExt(userPostedFile.FileName);
it's possible to do same thing here :
2- http://Example.com/modules/PreDefinition/VideoUpload.aspx
and the same vulnerable code is located here :
http://Example.com/Modules/PreDefinition/VideoUpload.ascx.cs
Ln 39 : string createdTime = DateTime.Now.ToString("yyyyMMddHHmmssffff");
string newFileNameWithoutExtension = Path.GetFileNameWithoutExtension(fileName) + "_" + createdTime;
string uploadFilePath = Server.MapPath(VideoHelper.GetVideoUploadDirectory(CurrentUser.Name) + newFileNameWithoutExtension + Path.GetExtension(fileName));
Persistent XSS Vulnerabilities:
===========================================================================================
In these Modules you can find Persistent XSS that data saves with no sanitization:
1- Module name: Article
Fields : Title , Description
Valnerable Code: ...\Modules\PreDefinition\Article.ascx.cs
ln 106:
if (S_Title.Text.Trim() != string.Empty)
{
parameters.Add("@Title", S_Title.Text.Trim());
parameters.Add("@Description", S_Title.Text.Trim());
parameters.Add("@Tags", S_Title.Text.Trim());
}
--------------------------------------------------------------------------------------
2- Module name: ArticleCategory
Field: Name
Valnerable Code: ...\Modules\PreDefinition\ArticleCategory.ascx.cs
ln 96:
entity.Name = ((TextBox)lstSearch.Rows[lstSearch.EditIndex].FindControl("txtCategoryName_E")).Text.Trim();
--------------------------------------------------------------------------------------
3- Module name: HtmlText
Field: Text
Valnerable Code: ...\Modules\PreDefinition\HtmlText.ascx.cs
ln 66:
entity.Content = txtContent.Value.Trim().Replace("//",string.Empty);
--------------------------------------------------------------------------------------
4- Module name: LeaveMessage
Fields : NickName , Content
Valnerable Code: ...\Modules\PreDefinition\LeaveMessage.ascx.cs
ln 55:
entity.NickName = txtNickName.Text.Trim();
entity.Content = txtContent.Text.Trim();
--------------------------------------------------------------------------------------
5- Module name: Link
Field: Title
Valnerable Code: ...\Modules\PreDefinition\Link.ascx.cs
ln 83:
entity.Title = ((TextBox)lstSearch.Rows[lstSearch.EditIndex].FindControl("txtTitle_E")).Text.Trim();
--------------------------------------------------------------------------------------
6- Module name: Photo
Field: Title
Valnerable Code: ...\Modules\PreDefinition\Photo.ascx.cs
ln 280:
entity.Title = txtTitle_E.Text.Trim();
===========================================================================================
体验盒子
