*=============================================================| | Exploit Title:A Roxy Fileman Cross Site Scripting | | Exploit Author: Ashiyane Digital Security Team | | Vendor Homepage: http://www.roxyfileman.com/ | | Download Link : http://www.roxyfileman.com/download.php?f=1.4.5-php | | Version : V 1.4.5 | | Platform : PHP | | Tested on:A Kali Linux | | Date: 1 /12 / 2017 *=============================================================| | Exploit Code: | | | |A A A Roxy Fileman Cross Site Scripting | | |
| /> |
| | | *=======================| | vulnerability Method : GET & POST | Files that have this vulnerability : | | http://Target/[PATH]/fileman/php/copydir.php | http://Target/[PATH]/fileman/php/copyfile.php | http://Target/[PATH]/fileman/php/createdir.php | http://Target/[PATH]/fileman/php/deletedir.php | http://Target/[PATH]/fileman/php/renamedir.php | http://Target/[PATH]/fileman/php/thumb.php | http://Target/[PATH]/fileman/php/movefile.php | http://Target/[PATH]/fileman/php/downloaddir.php | http://Target/[PATH]/fileman/php/dirtree.php | http://Target/[PATH]/fileman/php/movedir.php *=======================| |How to fix this vulnerability : | |You should first try to f.ilter all input variables O After use command echo in script :) | *=======================| |Vulnerable code For Example: | |include '../system.inc.php'; |include 'functions.inc.php'; | |verifyAction('FILESLIST'); |checkAccess('FILESLIST'); | |$path = (empty($_POST['d'])? getFilesPath(): $_POST['d']); |$type = (empty($_POST['type'])?'':strtolower($_POST['type'])); |if($type != 'image' && $type != 'flash') |A $type = ''; |verifyPath($path); | |$files = listDirectory(fixPath($path), 0); |natcasesort($files); |$str = ''; |echo '['; |foreach ($files as $f){ |A $fullPath = $path.'/'.$f; |A if(!is_file(fixPath($fullPath)) || ($type == 'image' && !RoxyFile::IsImage($f)) || ($type == 'flash' && !RoxyFile::IsFlash($f))) |A A A continue; |A $size = filesize(fixPath($fullPath)); |A $time = filemtime(fixPath($fullPath)); |A $w = 0; |A $h = 0; |A if(RoxyFile::IsImage($f)){ |A A A $tmp = @getimagesize(fixPath($fullPath)); |A A A if($tmp){ |A A A A A $w = $tmp[0]; |A A A A A $h = $tmp[1]; |A A A } |A } |A $str .= '{"p":"'.mb_ereg_replace('"', '\\"', $fullPath).'","s":"'.$size.'","t":"'.$time.'","w":"'.$w.'","h":"'.$h.'"},'; |} |$str = mb_substr($str, 0, -1); |echo $str; |echo ']'; |?>A *=============================================================| | Special Thanks To : Ehsan Cod3r O micle O Und3rgr0und O Amir.ght O | xenotixO modiretO V For Vendetta O Alireza O r4ouf O Spoofer O | And All Of My Friends O The Last One : My Self, M.R.S.L.YA *=============================================================|A