Advertisement
CVE | Category | Price | Severity |
---|---|---|---|
CWE-79 | Not disclosed | High |
Author | Risk | Exploitation Type | Date |
---|---|---|---|
Not specified | High | Remote | 2019-05-16 |
[*] :: Title: OwnDrive & File CMS v1.0 WebShell Upload & Stored XSS Injection [*] :: Author: QUIXSS [*] :: Date: 2019-05-15 [*] :: Software: OwnDrive & File CMS v1.0 [?] :: Technical Details & Description: # Weak security measures like no input fields data filtering and .PHP files upload has been discovered in the OwnDrive & File CMS web-application, current version is 1.0. [?] :: Demo Website: # https://codecanyon.net/item/owndrive-file-cms/22350701 # Backend (admin): http://owndrive.rudleobulksms.in/index.php/login # Login/Password (admin): admin/admin [!] :: Special Note: # Some PHP files are automatically deleted after ~2 seconds. If this is a security measure, then it's really easy to bypass by using any PHP obfuscator (most of webshells already have this option by default). [!] :: For developers: # Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients. [+] :: PoC [Links]: # http://owndrive.rudleobulksms.in/drive/QUIXSS/quixss.html # http://owndrive.rudleobulksms.in/user_profile/up.php # http://owndrive.rudleobulksms.in/google_drive/up.php # http://owndrive.rudleobulksms.in/drive/QUIXSS/adminer.php # http://owndrive.rudleobulksms.in/drive/QUIXSS/info.php # http://owndrive.rudleobulksms.in/index.php/own_drive_sub/index/QUIXSS [+] :: PoC #1 [WebShell Upload]: # Authorize on the demo website for tests: http://owndrive.rudleobulksms.in/index.php/login (login/password is admin/admin). Then go to the Own Drive page http://owndrive.rudleobulksms.in/index.php/own_drive and upload your PHP file (pay attention to the Special Note). [+] :: PoC #2 [Stored XSS Injection]: # Authorize on the demo website for tests: http://owndrive.rudleobulksms.in/index.php/login (login/password is admin/admin). Then go to the User Department page http://owndrive.rudleobulksms.in/index.php/users_group and edit any existed group or create a new one. User group name input field is vulnerable for Stored XSS Injection, so feel free to use your payload and save the data. # Sample payload #1: "><script>alert('QUIXSS')</script> # Sample payload #2: "><script>location='https://twitter.com/quixss';</script>
Copyright ©2024 Exploitalert.