steambag Posted August 21, 2014 Share Posted August 21, 2014 Analyzing the leaked code revealed multiple vulnerabilities due to a lack of user input validation including Cross-Site Scripting (XSS), Arbitrary File Upload, SQL Injection, and PHP Code Execution. Unsanitized user input is written to the Panel/config.php file via POST requests to the Panel/applysettings.php file. This vulnerability allows PHP code to be injected and then executed with subsequent requests at the Panel/config.php URL. Rewriting this configuration file will not only allow execution of specially crafted PHP code, but will also render the control panel inept, effectively creating a Denial of Service condition. Here is one proof of concept that passes the GET parameter “c” for system command execution: This is the hidden content, please Sign In or Sign Up Let’s break down each of these POST parameters to show what they do. Curl is instructed to send a POST request for the timezone parameter with the URL encoded string: This is the hidden content, please Sign In or Sign Up This POST value will subsequently be written to the Panel/config.php on line 13 with compiler happy code: This is the hidden content, please Sign In or Sign Up The other POST values postboxsize and botoffline are assigned expected integer values so PHP does not throw any errors. Our post exploit Panel/config.php file now contains the contents below. Notice that the database connection information (dbhost, dbname, etc.) was overwritten which stops the control panel from functioning: This is the hidden content, please Sign In or Sign Up And now the backdoor shell can be accessed by issuing system commands to the POST “c” parameter: This is the hidden content, please Sign In or Sign Up Example using "whoami" system command Link to comment Share on other sites More sharing options...
dR.fAn0 Posted December 9, 2014 Share Posted December 9, 2014 Re: Dendroid vulnerability Anyway to change the connecting port... ?? Port 80 is blocked by my ISP :ruletaoff: Link to comment Share on other sites More sharing options...
Recommended Posts