+---------------------------------------------------------------------------------------------------------------------------------------------------+
# Exploit Title : Elfet - ElfChat 5.1.2 Pro XSS + HTML Inject on Groups.PHP
# Date : 2012-08-01
# Vulnearbility : http://www.Site.tld/chat/admin/groups.php?2dfc7807e562134798541dbba20e22e7/YWNydWRfYWN0PWNyZWF0ZQ--
# Author : Avatar Fearless
# Software link : http://community.elfchat.net/files/download/4-elfchat-5-demo/
# Official Site : http://elfchat.net/
# Version : 5.1.2 Pro (Updated)
# Tested on : Windows 7 Ultimate x32
# Original Advisory : http://thefear.in/elfchatvuln3.txt
# Contact : avatar@hiphopfan.com || avatar_legends@live.com/@mail.ru
# Web Sites : http://anti-armenia.org/ || http://millikuvvetler.net/ || http://mexfi.org/
+---------------------------------------------------------------------------------------------------------------------------------------------------+
[+] Vulnerable :
http://www.Site.tld/chat/admin/groups.php
[-] Exploit :
In "Admin" Case you can do everythink with groups.php!
[?] About :
For More Info Contact me.
[#] Description :
It affects to : /admin/index.php + /admin/users.php
[$] Information About This Vulnerability + Exploiting.
You Can Put JavaScript + HTML Inject when you create a new group.
[|]PoC :
<?php
require_once 'init.php';
require_once 'controller/CrudController.php';
require_once 'models/Group.php';
class GroupsController extends AdminController
{
public function __construct()
{
parent::__construct(array(
'select' => 'groups',
'title' => tr('Groups'),
'url' => 'groups.php?'
));
$this->view = new View('groups');
}
public function action_index()
{
$groups = Group::model();
$crud = new CrudController($groups);
$crud->SetController($this);
$crud->SetLog($this->logs);
$crud->SetLogsMessages(array('create' => tr('New group was created: %title%'), 'update' => tr('Group was edited: %title%'), 'delete' => tr('Group was deleted: %title%')));
$crud->SetSubmits(array('create' => tr('Add new group'), 'update' => tr('Edit group'), 'delete' => tr('Delete group')));
$crud->SetTitles(array('create' => tr('Create new group'), 'update' => tr('Edit group: %title%'), 'delete' => tr('Delete group: %title%')));
$crud->SetMessages(array('create' => tr('New group was created.'), 'update' => tr('Group was edited: %title%'), 'delete' => tr('Group was deleted: %title%')));
$act = $crud->GetAct();
$page_title = '';
if ($act == CrudEnum::Read)
$page_title = tr('Groups');
$this->view->title = $page_title;
$columns = array(
'id' => array('title' => tr('ID'), 'width' => '20px'),
'title' => array('title' => tr('Title'))
);
$crud->SetColumns($columns);
$title = new InputText('title', tr('Title of new group.'));
$title->SetValid(array( new Validation_NotEmpty(), new Validation_MaxLength() ));
$title->AddValid (new Validation_Unique($groups, 'title', tr('Title of group have to be unique.')));
$crud->AddInput($title);
$crud->AddInput(new InputCheck('settings#enter', tr('Can enter to chat?'), true));
$crud->AddInput(new InputText('settings#icon', tr('Icon of group'), ''));
$crud->AddInput(new InputCheck('settings#bbcode_status', tr('Can use bbcode in status?'), false));
$crud->AddInput(new InputCheck('settings#enable_antispam', tr('Turn on antispam?'), true));
$crud->run();
$this->display();
}
public function action_reset()
{
$group_settings = array(
'enter' => true,
'icon' => '',
'bbcode_status' => false,
'enable_antispam' => true
);
Group::model()->updateAll('', array(
'group_setting' => serialize($group_settings)
));
$this->logs->Log(tr('All groups was reseted.'));
$this->redirect(url( array('message' => tr('All groups reseted.')) ));
}
}
$page = new GroupsController();
$page->Login();
?>
[@]
Respect To :
All My Bro*S
AA Team
MF Team
MKT Team
Gr33t`Z T0 : All Team MemBer'Z
+---------------------------------------------------------------------------------------------------------------------------------------------------+
6 Ağustos 2012 Pazartesi
Elfet - ElfChat 5.1.2 Pro XSS + HTML Inject on Groups.PHP
Kaydol:
Kayıt Yorumları (Atom)
Hiç yorum yok:
Yorum Gönder