Advertisement






OwnDrive & File CMS v1.0 WebShell Upload & Stored XSS Injection

CVE Category Price Severity
CWE-79 Not disclosed High
Author Risk Exploitation Type Date
Not specified High Remote 2019-05-16
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019050171

Below is a copy:

OwnDrive & File CMS v1.0 WebShell Upload & Stored XSS Injection
[*] :: Title: OwnDrive & File CMS v1.0 WebShell Upload & Stored XSS Injection
[*] :: Author: QUIXSS
[*] :: Date: 2019-05-15
[*] :: Software: OwnDrive & File CMS v1.0
  
[?] :: Technical Details & Description:
# Weak security measures like no input fields data filtering and .PHP files upload has been discovered in the OwnDrive & File CMS web-application, current version is 1.0.

[?] :: Demo Website:
# https://codecanyon.net/item/owndrive-file-cms/22350701
# Backend (admin): http://owndrive.rudleobulksms.in/index.php/login
# Login/Password (admin): admin/admin

[!] :: Special Note:
# Some PHP files are automatically deleted after ~2 seconds. If this is a security measure, then it's really easy to bypass by using any PHP obfuscator (most of webshells already have this option by default).

[!] :: For developers:
# Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients.

[+] :: PoC [Links]:
# http://owndrive.rudleobulksms.in/drive/QUIXSS/quixss.html
# http://owndrive.rudleobulksms.in/user_profile/up.php
# http://owndrive.rudleobulksms.in/google_drive/up.php
# http://owndrive.rudleobulksms.in/drive/QUIXSS/adminer.php
# http://owndrive.rudleobulksms.in/drive/QUIXSS/info.php
# http://owndrive.rudleobulksms.in/index.php/own_drive_sub/index/QUIXSS

[+] :: PoC #1 [WebShell Upload]:
# Authorize on the demo website for tests: http://owndrive.rudleobulksms.in/index.php/login (login/password is admin/admin). Then go to the Own Drive page http://owndrive.rudleobulksms.in/index.php/own_drive and upload your PHP file (pay attention to the Special Note).

[+] :: PoC #2 [Stored XSS Injection]:
# Authorize on the demo website for tests: http://owndrive.rudleobulksms.in/index.php/login (login/password is admin/admin). Then go to the User Department page http://owndrive.rudleobulksms.in/index.php/users_group and edit any existed group or create a new one. User group name input field is vulnerable for Stored XSS Injection, so feel free to use your payload and save the data.
# Sample payload #1: "><script>alert('QUIXSS')</script>
# Sample payload #2: "><script>location='https://twitter.com/quixss';</script>

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum