OwnDrive & File CMS v1.0 WebShell Upload & Stored XSS Injection - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1611551 漏洞类型
发布时间 2019-05-16 更新时间 2019-05-16
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019050171
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
[*] :: Title: OwnDrive & File CMS v1.0 WebShell Upload & Stored XSS Injection
[*] :: Author: QUIXSS
[*] :: Date: 2019-05-15
[*] :: Software: OwnDrive & File CMS v1.0
  
[?] :: Technical Details & Description:
# Weak security measures like no input fields data filtering and .PHP files upload has been discovered in the «OwnDrive & File CMS» web-application, current version is 1.0.

[?] :: Demo Website:
# https://codecanyon.net/item/owndrive-file-cms/22350701
# Backend (admin): http://owndrive.rudleobulksms.in/index.php/login
# Login/Password (admin): admin/admin

[!] :: Special Note:
# Some PHP files are automatically deleted after ~2 seconds. If this is a «security measure», then it's really easy to bypass by using any PHP obfuscator (most of webshells already have this option by default).

[!] :: For developers:
# Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients.

[+] :: PoC [Links]:
# http://owndrive.rudleobulksms.in/drive/QUIXSS/quixss.html
# http://owndrive.rudleobulksms.in/user_profile/up.php
# http://owndrive.rudleobulksms.in/google_drive/up.php
# http://owndrive.rudleobulksms.in/drive/QUIXSS/adminer.php
# http://owndrive.rudleobulksms.in/drive/QUIXSS/info.php
# http://owndrive.rudleobulksms.in/index.php/own_drive_sub/index/QUIXSS

[+] :: PoC #1 [WebShell Upload]:
# Authorize on the demo website for tests: http://owndrive.rudleobulksms.in/index.php/login (login/password is admin/admin). Then go to the «Own Drive» page http://owndrive.rudleobulksms.in/index.php/own_drive and upload your PHP file (pay attention to the «Special Note»).

[+] :: PoC #2 [Stored XSS Injection]:
# Authorize on the demo website for tests: http://owndrive.rudleobulksms.in/index.php/login (login/password is admin/admin). Then go to the «User Department» page http://owndrive.rudleobulksms.in/index.php/users_group and edit any existed group or create a new one. «User group name» input field is vulnerable for Stored XSS Injection, so feel free to use your payload and save the data.
# Sample payload #1: "><script>alert('QUIXSS')</script>
# Sample payload #2: "><script>location='https://twitter.com/quixss';</script>